Projectsend
CVE-2019-11533
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML.
AnalysisAI
Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 allows remote attackers to inject arbitrary web script or HTML. Affected products include: Projectsend.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Projectsend
View allProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows rem
install/make-config.php in ProjectSend r754 allows remote attackers to execute arbitrary PHP code via the dbprefix param
Projectsend version r1295 is affected by a directory traversal vulnerability. Rated critical severity (CVSS 9.8), this v
An issue was discovered in ProjectSend r1053. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
Projectsend version r1295 is affected by sensitive information disclosure. Rated high severity (CVSS 8.1), this vulnerab
reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business
SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to
Projectsend version r1295 is affected by a directory traversal vulnerability. Rated medium severity (CVSS 6.5), this vul
Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) r561 allows remote attackers to inject arbitrary
Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606. Rated medium severity (
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today