Description
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
Remediation
References
Related Vulnerabilities
WordPress CVE-2019-17673 Vulnerability (CVE-2019-17673)
MySQL CVE-2014-4207 Vulnerability (CVE-2014-4207)
WordPress Plugin WordPress Gallery-NextGEN Gallery Cross-Site Request Forgery (3.28)
Oracle JRE CVE-2019-2949 Vulnerability (CVE-2019-2949)
WordPress Plugin Appointment Calendar Multiple Cross-Site Scripting Vulnerabilities (2.7.4)