CVE-2023-53930

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605

Description An insecure direct object reference issue exists in ProjectSend r1605. An unauthenticated attacker can download private files by manipulating the id parameter in a download request to the 'process.php' endpoint. This allows access to any user's private files.

Recommendations Apply appropriate access controls to the 'process.php' endpoint to prevent unauthorized file downloads. Sanitize or validate the id parameter to ensure it corresponds to a legitimate file accessible to the requesting user.