CVE-2021-47947

Projectsend r1295 Stored Cross-Site Scripting via files-edit.php

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Productos afectados

Projectsend · Projectsend

PoCs públicas encontradas — 1

cve_referencewww.exploit-db.com/exploits/50240no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.exploit-db.com/exploits/50240 https://www.projectsend.org/https://www.projectsend.org/download/387/https://www.vulncheck.com/advisories/projectsend-r1295-stored-cross-site-scripting-via-files-edit-php