Cross-Site Scripting Vulnerability in ProjectSend File Editor Component
CVE-2025-13232

5.1MEDIUM

Key Information:

Vendor

ProjectSend

Status
Projectsend
Vendor
CVE Published:
16 November 2025

What is CVE-2025-13232?

A significant cross-site scripting vulnerability has been identified in the File Editor/Custom Download Aliases component of ProjectSend. This flaw allows attackers to execute arbitrary scripts in the context of the user's browser, which can lead to unauthorized access and manipulation of user data. The vulnerability is exploitable remotely, emphasizing the importance of immediate action. Users are strongly advised to upgrade to version r1945 or later to mitigate this risk effectively. The recent patch, identified as commit 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845, provides a comprehensive fix to this issue.

Affected Version(s)

projectsend r1720

projectsend r1945

References

https://vuldb.com/?id.332558
vdb-entry
https://vuldb.com/?ctiid.332558
signaturepermissions-required
https://vuldb.com/?submit.686533
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Raducu Alexandru-ionut
Xoriath (VulDB User)
JSON
.
CVE-2025-13232 : Cross-Site Scripting Vulnerability in ProjectSend File Editor Component