Authentication Bypass in ProjectSend by SandboxEscape
CVE-2016-10732

9.8CRITICAL

Key Information:

Vendor: Projectsend
Status: Projectsend
Vendor: CVE Published:; 29 October 2018

What is CVE-2016-10732?

An authentication bypass vulnerability exists in ProjectSend (formerly cFTP) r582, allowing unauthorized users to access sensitive functions. Attackers can exploit this flaw through direct requests to specific PHP scripts, including users.php, home.php, edit-file.php?file_id=1, and process-zip-download.php. This can enable them to manipulate user accounts and perform unauthorized actions, leading to compromised instances of the application.

References

https://github.com/sandboxescape/ProjectSend-multiple-vul...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 29, 2018
Vulnerability Reserved
Oct 27, 2018

Projectsend

What is CVE-2016-10732?

References

CVSS V3.1

Timeline