Authentication Bypass in ProjectSend by SandboxEscape
CVE-2016-10732

9.8CRITICAL

Key Information:

Vendor: Projectsend
Status: Projectsend
Vendor: CVE Published:; 29 October 2018

🔔 Create Projectsend Vulnerability Alert

What is CVE-2016-10732?

An authentication bypass vulnerability exists in ProjectSend (formerly cFTP) r582, allowing unauthorized users to access sensitive functions. Attackers can exploit this flaw through direct requests to specific PHP scripts, including users.php, home.php, edit-file.php?file_id=1, and process-zip-download.php. This can enable them to manipulate user accounts and perform unauthorized actions, leading to compromised instances of the application.

References

https://github.com/sandboxescape/ProjectSend-multiple-vul...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2018
Vulnerability Reserved
Oct 27, 2018