Lucene search

[email protected]NVD:CVE-2021-40887

HistoryOct 11, 2021 - 11:15 a.m.

CVE-2021-40887

2021-10-1111:15:09

CWE-22

[email protected]

web.nvd.nist.gov

projectsend version r1295

directory traversal

vulnerability

input sanitization

files parameter

attacker

php files

system permissions

upload folder

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.1%

JSON

Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add …/ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.

Affected configurations

Nvd

Node

projectsendprojectsendMatchr1295

VendorProductVersionCPE
projectsendprojectsendr1295cpe:2.3:a:projectsend:projectsend:r1295:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
projectsend	projectsend	r1295	cpe:2.3:a:projectsend:projectsend:r1295:::::::*

References

github.com/projectsend/projectsend/issues/994

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.1%

JSON

Related for NVD:CVE-2021-40887

cvelist1 cve1 checkpoint_advisories1 osv1 cnvd1 prion1