A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.274115 | third party advisory vdb entry technical description |
| https://vuldb.com/?ctiid.274115 | signature vdb entry permissions required |
| https://vuldb.com/?submit.385000 | third party advisory vdb entry |
| https://github.com/projectsend/projectsend/commit/eb5a04774927e5855b9d0e5870a2aae5a3dc5a08 | patch |
| https://github.com/projectsend/projectsend/releases/tag/r1720 | patch release notes |
| https://www.kiyell.com/private-files-from-projectsend-idor/ |