CVE-2021-47947

Name of the Vulnerable Software and Affected Versions Projectsend version r1295

Description An authenticated attacker can inject malicious scripts by submitting crafted input through the name parameter in the 'files-edit.php' endpoint. These JavaScript payloads execute in the browser of other users, specifically targeting System Administrator users on the Dashboard page, when the file is viewed. This is a stored cross-site scripting issue, where a script is permanently stored on the server and served to other users.

Recommendations As a temporary workaround, restrict access to the 'files-edit.php' endpoint or avoid using the name parameter until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.