CVE-2021-40887

Name of the Vulnerable Software and Affected Versions Projectsend version r1295

Description The issue is related to a directory traversal vulnerability. Due to a lack of sanitization for the files[] parameter, an attacker can exploit this by adding ../ to move PHP files or any file on the system with permissions to the /upload/files/ folder.

Recommendations For Projectsend version r1295, consider restricting access to the files[] parameter to prevent directory traversal attacks until a patch is available. As a temporary workaround, avoid using the files[] parameter in the affected API endpoint until the issue is resolved.