CVE-2024-7658

low-risk

Published 2024-08-12

A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.

Do I need to act?

0.25% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Projectsend

Affected Vendors

Projectsend

References (6)

Patch https://github.com/projectsend/projectsend/commit/eb5a04774927e5855b9d0e5870a2aa...

Release Notes https://github.com/projectsend/projectsend/releases/tag/r1720

Permissions Required https://vuldb.com/?ctiid.274115

Third Party Advisory https://vuldb.com/?id.274115

Third Party Advisory https://vuldb.com/?submit.385000

https://www.kiyell.com/private-files-from-projectsend-idor/

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal