CVE-2024-7658

EPSS 0.79%
Veröffentlicht 12.08.2024 13:38:49
Zuletzt bearbeitet 13.01.2025 21:15:14
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

projectsend process.php get_preview resource injection

A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.

Betroffene Produkte Warnungen 0 Metriken 5 CWE 2 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Projectsend ≫ Projectsend Version < r1720

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.79%	0.515

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cna@vuldb.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cna@vuldb.com	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-99 Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

https://github.com/projectsend/projectsend/commit/eb5a04774927e5855b9d0e5870a2aae5a3dc5a08

Patch

https://github.com/projectsend/projectsend/releases/tag/r1720

Release Notes

https://vuldb.com/?ctiid.274115

VDB Entry

Permissions Required

https://vuldb.com/?id.274115

Third Party Advisory

VDB Entry

https://vuldb.com/?submit.385000

Third Party Advisory

VDB Entry

https://www.kiyell.com/private-files-from-projectsend-idor/

https://nvd.nist.gov/vuln/detail/CVE-2024-7658

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7658

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7658

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-7658