Vulnerabilities > Projectsend

DATE CVE VULNERABILITY TITLE RISK
2019-05-22 CVE-2018-7201 Improper Neutralization of Formula Elements in a CSV File vulnerability in Projectsend
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
network
low complexity
projectsend CWE-1236
8.8
2019-05-22 CVE-2018-7202 Cross-site Scripting vulnerability in Projectsend
An issue was discovered in ProjectSend before r1053.
network
low complexity
projectsend CWE-79
6.1
2019-04-26 CVE-2019-11533 Cross-site Scripting vulnerability in Projectsend
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.
network
low complexity
projectsend CWE-79
6.1
2019-04-26 CVE-2019-11492 Information Exposure Through Log Files vulnerability in Projectsend
ProjectSend before r1070 writes user passwords to the server logs.
network
low complexity
projectsend CWE-532
7.5
2019-04-20 CVE-2019-11378 Path Traversal vulnerability in Projectsend R1053
An issue was discovered in ProjectSend r1053.
network
low complexity
projectsend CWE-22
8.8
2018-10-29 CVE-2016-10734 Improper Authorization vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.
network
low complexity
projectsend CWE-285
critical
9.8
2018-10-29 CVE-2016-10733 Path Traversal vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string.
network
low complexity
projectsend CWE-22
critical
9.8
2018-10-29 CVE-2016-10732 Improper Authentication vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.
network
low complexity
projectsend CWE-287
critical
9.8
2018-10-29 CVE-2016-10731 SQL Injection vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action.
network
low complexity
projectsend CWE-89
critical
9.8
2018-03-06 CVE-2017-9786 Cross-site Scripting vulnerability in Projectsend
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in My account Name updated, related to home.php and actions-log.php.
network
low complexity
projectsend CWE-79
6.1