Home

Description

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-17 | Updated 2025-12-30 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

r1605
affected

Credits

Mirabbas Ağalarov finder

References

www.exploit-db.com/exploits/51400 exploit

www.exploit-db.com/exploits/51400 (ExploitDB-51400) exploit

www.projectsend.org/ (Official Product Homepage) product

www.vulncheck.com/...t-reference-file-download-vulnerability (VulnCheck Advisory: ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability) third-party-advisory

cve.org (CVE-2023-53930)

nvd.nist.gov (CVE-2023-53930)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.