Cross-site Scripting (XSS) - Stored in projectsend/projectsend

💥 BUG CSRF bug to delete file 💥 SUMMURY during batch delete file there is no csrf token present 💥 STEP TO REPRODUCE 1. vulnerable url is http://localhost/projectsend2/manage-files.php?action=delete&batch=27&batch=31&page=1 .\ Here in this url change file-id to delete and open the url and see file...

Cross-site Scripting (XSS) - Stored in projectsend/projectsend

💥 BUG Stored xss during file upload 💥 STEP TO REPRODUCE check this 1 minute video to reproduce the bug https://drive.google.com/file/d/17TkVQxAOuXxSnlaPh4smvbJndcW-JQla/view?usp=sharing 💥 IMPACT Lower level user can make xss attack against admin. So, using this xss bug lower level user can execut...

CVE-2020-28874

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered an invalid token parameter...

CVE-2020-28874

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered an invalid token parameter...

Default credentials

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered an invalid token parameter...

ProjectSend Security Vulnerability

ProjectSend formerly cFTP is a suite of self-hosted applications based on PHP and MySQL. ProjectSend before r1295 suffers from a security vulnerability that incorrectly resets passwords due to faulty business logic...

CVE-2020-28874

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered an invalid token parameter...

CVE-2020-28874

The CVE-2020-28874 issue affects ProjectSend’s reset-password.php before r1295, where incorrect business logic allows password reset without a valid token. Root cause: user_data is derived from an uncleaned username (GET parameter) and then reused in POST flow, enabling an attacker to trick the s...

Exploit for Improper Authentication in Projectsend

This repository contains the description of the vulnerability fo...

ProjectSend cross-site scripting vulnerability (CNVD-2019-36883)

ProjectSend formerly known as cFTP is a suite of self-hosted applications based on PHP and MySQL. A cross-site scripting vulnerability exists in the 'Name' field of the My Account page in versions prior to ProjectSend r1053. The vulnerability stems from the WEB application's lack of proper...

Input validation

CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel...

CVE-2018-7201

CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel...

CVE-2018-7201

CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel...

CVE-2018-7201

CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel...

CVE-2018-7201

CVE-2018-7201 corresponds to a CSV Injection vulnerability in ProjectSend prior to version r1053. The issue arises when exporting/loading data for use in Microsoft Excel, enabling injection via CSV fields. Affected product: ProjectSend (before r1053). Root cause details are described only as a CS...

CVE-2018-7202

An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page...

CVE-2018-7202

An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page...

CVE-2018-7202

CVE-2018-7202 affects ProjectSend prior to r1053, where an XSS flaw exists in the Name field on the My Account page. Root cause: insufficient input validation/escaping in that field, enabling injection of client-side scripts. Impact is cross-site scripting affecting users handling their My Accoun...

CVE-2018-7202

An issue was discovered in ProjectSend before r1053. XSS exists in the "Name" field on the My Account page...

ProjectSend CVS Injection Vulnerability

rojectSend formerly known as cFTP is a suite of self-hosted applications based on PHP and MySQL. A CVS injection vulnerability exists in versions prior to ProjectSend r1053 that affects victims who import data into Microsoft Excel...