PT-2025-51944 · Unknown · Projectsend
Mirabbas Ağalarov
·
Published
2025-12-17
·
Updated
2025-12-26
·
CVE-2023-53906
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
projectSend version r1605
Description
The software contains a stored cross-site scripting issue. Authenticated administrators can inject malicious JavaScript through the custom assets configuration page. An attacker can create a JavaScript payload within the custom assets section, which will execute when other users access the affected page, resulting in persistent script injection.
Recommendations
Administrators should sanitize or encode any user-supplied content within the custom assets configuration page to prevent the injection of malicious scripts.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Projectsend