Summaryinfo

A vulnerability has been found in ProjectSend r754 and classified as problematic. This affects an unknown part of the file process.php?do=zip_download. Performing a manipulation of the argument client/file results in information disclosure. This vulnerability is known as CVE-2017-20101. Remote exploitation of the attack is possible. No exploit is available.

Detailsinfo

A vulnerability, which was classified as problematic, was found in ProjectSend r754 (Project Management Software). This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality.

The weakness was published 02/22/2017 by Lawrence Amer with Vulnerability Lab as ProjectSend r754 - IDOR & Authentication Bypass Vulnerability as not defined mailinglist post (Full-Disclosure). It is possible to read the advisory at seclists.org. This vulnerability is uniquely identified as CVE-2017-20101. It is possible to initiate the attack remotely. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Project Management Software

Name

• ProjectSend

Version

• r754

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

Video

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion