Vulnerabilities > Projectsend > Critical

DATE CVE VULNERABILITY TITLE RISK
2024-11-26 CVE-2024-11680 Incorrect Authorization vulnerability in Projectsend
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability.
network
low complexity
projectsend CWE-863
critical
9.8
2021-10-11 CVE-2021-40887 Path Traversal vulnerability in Projectsend R1295
Projectsend version r1295 is affected by a directory traversal vulnerability.
network
low complexity
projectsend CWE-22
critical
9.8
2018-10-29 CVE-2016-10734 Improper Authorization vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.
network
low complexity
projectsend CWE-285
critical
9.8
2018-10-29 CVE-2016-10733 Path Traversal vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query string.
network
low complexity
projectsend CWE-22
critical
9.8
2018-10-29 CVE-2016-10732 Improper Authentication vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.
network
low complexity
projectsend CWE-287
critical
9.8
2018-10-29 CVE-2016-10731 SQL Injection vulnerability in Projectsend 582
ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action.
network
low complexity
projectsend CWE-89
critical
9.8
2017-06-18 CVE-2017-9741 Improper Input Validation vulnerability in Projectsend R754
install/make-config.php in ProjectSend r754 allows remote attackers to execute arbitrary PHP code via the dbprefix parameter, related to replacing TABLES_PREFIX in the configuration file.
network
low complexity
projectsend CWE-20
critical
9.8