Main Vulnerability Database Vulnerabilities #VU35983

Arbitrary file upload in ProjectSend - CVE-2019-11378

Published: April 20, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35983

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-11378

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ProjectSend

Affected software:
ProjectSend

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.

How to mitigate CVE-2019-11378

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/108069
https://github.com/projectsend/projectsend/issues/700

Arbitrary file upload in ProjectSend - CVE-2019-11378

Detailed vulnerability description

How to mitigate CVE-2019-11378

Sources

Please verify you're human