3 matches found
CVE-2019-11378
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finishedfiles=../ directory traversal. It is possible for users to read arbitrary files and potentially access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code...
CVE-2019-11378
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finishedfiles=../ directory traversal. It is possible for users to read arbitrary files and potentially access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code...
CVE-2019-11378
ProjectSend (revision r1053) is affected by CVE-2019-11378 through the upload-process-form.php endpoint, where finished_files[]=../ enables directory traversal. This allows attackers to read arbitrary files and potentially access the supporting database, delete files, leak user passwords, or exec...