ProjectSend Missing Authorization Vulnerability in AJAX Endpoints

A vulnerability exists in ProjectSend versions up to r1945, where certain AJAX endpoints lack proper authorization checks. This issue allows any authenticated user, including clients with the lowest role level, to access restricted functions. The vulnerability was introduced by not verifying if the user had the necessary permissions before executing actions that should be restricted to higher-level users. As a result, it could lead to unauthorized file enumeration and deletion of custom download links.

Impact

Exploitation of this vulnerability could allow unauthorized users to access and manipulate files and download links they should not have access to.

Reproduction

The vulnerability can be reproduced by accessing the affected AJAX endpoints as an authenticated user without the required permissions. This can be done by logging into a client account with role level 0 and sending a request to the 'thumbnails_regenerate_get_files' or 'thumbnails_regenerate_process' cases. The absence of a proper authorization check will allow the request to be processed, leading to unauthorized access.

Remediation

Users are advised to update to the latest version of ProjectSend, where this vulnerability has been addressed.