PT-2021-23005 · Unknown · Projectsend

Kietna-68

Published

2021-10-11

Updated

2021-10-18

CVE-2021-40888

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Projectsend version r1295

Description The issue is caused by a lack of sanitization when echoing output data in the returnFilesIds() function, allowing a low privilege user to execute scripting code through the process.php file. This is a Cross Site Scripting (XSS) issue.

Recommendations For Projectsend version r1295, consider disabling the returnFilesIds() function until a patch is available to prevent exploitation. Restrict access to the process.php file to minimize the risk of scripting code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-40888

Affected Products

Projectsend

PT-2021-23005 · Unknown · Projectsend

CVE-2021-40888

Weakness Enumeration

Related Identifiers

Affected Products

References · 6