Vulnerabilities > Projectsend > Projectsend > 582
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-01 | CVE-2023-0607 | Cross-site Scripting vulnerability in Projectsend Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606. | 4.8 |
| 2021-01-26 | CVE-2020-28874 | Improper Privilege Management vulnerability in Projectsend reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. | 5.0 |
| 2019-05-22 | CVE-2018-7201 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Projectsend CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel. | 6.8 |
| 2019-05-22 | CVE-2018-7202 | Cross-site Scripting vulnerability in Projectsend An issue was discovered in ProjectSend before r1053. | 4.3 |
| 2019-04-26 | CVE-2019-11533 | Cross-site Scripting vulnerability in Projectsend Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML. | 4.3 |
| 2019-04-26 | CVE-2019-11492 | Information Exposure Through Log Files vulnerability in Projectsend ProjectSend before r1070 writes user passwords to the server logs. | 5.0 |
| 2018-10-29 | CVE-2016-10734 | Improper Authorization vulnerability in Projectsend 582 ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php. | 7.5 |
| 2018-10-29 | CVE-2016-10733 | Path Traversal vulnerability in Projectsend 582 ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string. | 7.5 |
| 2018-10-29 | CVE-2016-10732 | Improper Authentication vulnerability in Projectsend 582 ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php. | 7.5 |
| 2018-10-29 | CVE-2016-10731 | SQL Injection vulnerability in Projectsend 582 ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action. | 7.5 |