CVE-2023-53980

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605

Description ProjectSend r1605 contains a remote code execution issue that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server. The issue bypasses file extension checks, enabling attackers to upload and execute malicious scripts, potentially leading to complete server compromise.

Recommendations For ProjectSend version r1605, restrict access to the upload.process.php endpoint to prevent unauthorized file uploads. As a temporary workaround, consider disabling file upload functionality until a patch is available.