CVE-2023-53930

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605

Description An insecure direct object reference issue exists in ProjectSend r1605. An unauthenticated attacker can download private files by manipulating the id parameter in a download request to the 'process.php' endpoint. This allows access to any user's private files.

Recommendations Apply appropriate access controls to the 'process.php' endpoint to prevent unauthorized file downloads. Sanitize or validate the id parameter to ensure it corresponds to a legitimate file accessible to the requesting user.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2023-53930

Affected Products

Projectsend

CVE-2023-53930

Weakness Enumeration

Related Identifiers

Affected Products

References · 9