Primary

Context

ProjectSend Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in ProjectSend version r1605. This issue allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. The injected script executes when other users view the affected page, creating a persistent script injection risk.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the custom assets page. From there, access the option to add new JavaScript. Inject a script payload, such as an alert, and save the changes. The injected script will execute when the page is loaded by other users.

Added: Dec 17, 2025, 11:47 PM

Updated: Dec 17, 2025, 11:47 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ProjectSend Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

projectSend

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating