CVE-2020-28874 – CVE-2020-28874 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2020-28874?

CVE-2020-28874 has a CVSS score of 7.5 (HIGH). CVE-2020-28874 is an authentication bypass vulnerability in ProjectSend's password reset functionality. Attackers can reset any user's password without proper token validation, potentially gaining unauthorized access. All ProjectSend instances before version r1295 are affected.

📋 TL;DR

CVE-2020-28874 is an authentication bypass vulnerability in ProjectSend's password reset functionality. Attackers can reset any user's password without proper token validation, potentially gaining unauthorized access. All ProjectSend instances before version r1295 are affected.

💻 Affected Systems

Products:

ProjectSend

Versions: All versions before r1295

Operating Systems: All operating systems running ProjectSend

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all ProjectSend deployments regardless of configuration; vulnerability is in core password reset logic.

📦 What is this software?

Projectsend by Projectsend

View all CVEs affecting Projectsend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers reset administrator passwords, gain full control over the file sharing system, and access sensitive user files.

🟠

Likely Case

Unauthorized access to user accounts leading to data theft, file manipulation, or privilege escalation within the ProjectSend application.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass still poses significant risk.

🌐 Internet-Facing: HIGH - Publicly accessible ProjectSend instances are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable but require network access; risk depends on internal segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required; exploit code is publicly available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: r1295

Vendor Advisory: https://github.com/projectsend/projectsend/releases/tag/r1295

Restart Required: No

Instructions:

1. Backup current installation. 2. Download r1295 or later from GitHub releases. 3. Replace affected files, particularly reset-password.php. 4. Verify the commit 440204734e9a1687cb9887e1c887173d23c5a93e is applied.

🔧 Temporary Workarounds

Disable Password Reset

linux

Temporarily disable the password reset functionality by removing or restricting access to reset-password.php

mv /path/to/projectsend/reset-password.php /path/to/projectsend/reset-password.php.disabled

Web Server Access Control

all

Block access to reset-password.php using web server configuration

# Apache: <Location "/reset-password.php"> Require all denied </Location>
# Nginx: location = /reset-password.php { deny all; }

🧯 If You Can't Patch

Implement network-level restrictions to limit access to ProjectSend only from trusted IP addresses
Enable detailed logging of all password reset attempts and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if reset-password.php exists and compare its content with the patched version from commit 440204734e9a1687cb9887e1c887173d23c5a93e

Check Version:

grep -r 'r1295\|440204734e9a1687cb9887e1c887173d23c5a93e' /path/to/projectsend/

Verify Fix Applied:

Verify the version is r1295 or later by checking the release files or commit history

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts from single IP
Successful password resets without corresponding user requests
Unusual password reset patterns

Network Indicators:

HTTP POST requests to reset-password.php with manipulated parameters
Rapid sequential password reset attempts

SIEM Query:

source="web_logs" AND uri="/reset-password.php" AND (status=200 OR parameters CONTAINS "token=") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-28874

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-287

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

http://projectsend.com Vendor Advisory
https://github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e Patch,Third Party Advisory
https://github.com/projectsend/projectsend/commits/master Patch,Third Party Advisory
https://github.com/projectsend/projectsend/releases/tag/r1295 Release Notes,Third Party Advisory
https://github.com/varandinawer/CVE-2020-28874 Exploit,Third Party Advisory
http://projectsend.com Vendor Advisory
https://github.com/projectsend/projectsend/commit/440204734e9a1687cb9887e1c887173d23c5a93e Patch,Third Party Advisory
https://github.com/projectsend/projectsend/commits/master Patch,Third Party Advisory
https://github.com/projectsend/projectsend/releases/tag/r1295 Release Notes,Third Party Advisory
https://github.com/varandinawer/CVE-2020-28874 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28874, you might also want to check these: