Description

An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.

Remediation

References

CVE-2019-11378

Related Vulnerabilities

Dot CMS Uncontrolled Recursion Vulnerability (CVE-2022-37034)

Atlassian Jira CVE-2021-39123 Vulnerability (CVE-2021-39123)

Magento XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2021-21019)

Magento Improper Access Control Vulnerability (CVE-2021-21020)

Zope Web Application Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-4924)

Severity

High

Classification

CVE-2019-11378 CWE-434 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities