CVE-2023-53906 – CVE-2023-53906 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2023-53906?

CVE-2023-53906 has a CVSS score of 4.8 (MEDIUM). CVE-2023-53906 is a stored cross-site scripting vulnerability in projectSend r1605 that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. This enables persistent script execution when other users load the affected page, potentially compromising user sessions and data. Only projectSend instances with administrator accounts are affected.

📋 TL;DR

CVE-2023-53906 is a stored cross-site scripting vulnerability in projectSend r1605 that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. This enables persistent script execution when other users load the affected page, potentially compromising user sessions and data. Only projectSend instances with administrator accounts are affected.

💻 Affected Systems

Products:

projectSend

Versions: r1605

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated administrator access to exploit. All deployments using the vulnerable version are affected.

📦 What is this software?

Projectsend by Projectsend

View all CVEs affecting Projectsend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with admin credentials could steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or deploy additional malware payloads across the application.

🟠

Likely Case

Malicious administrators or compromised admin accounts could perform session hijacking, credential theft, or defacement of the application interface for other users.

🟢

If Mitigated

With proper access controls and input validation, the impact is limited to potential interface manipulation without data compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin credentials but is trivial to execute once authenticated. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: r1606 or later

Vendor Advisory: https://www.projectsend.org/

Restart Required: No

Instructions:

1. Download the latest version from projectsend.org. 2. Backup your current installation. 3. Replace the vulnerable files with the patched version. 4. Verify the custom assets page no longer accepts JavaScript input.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize custom assets configuration inputs

Modify custom assets handling code to strip or encode HTML/JavaScript tags

Admin Access Restriction

all

Temporarily restrict admin access to trusted IP addresses only

Configure web server or application firewall to limit admin panel access

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution
Monitor admin account activity and implement multi-factor authentication for all admin accounts

🔍 How to Verify

Check if Vulnerable:

Login as admin, navigate to custom assets configuration, attempt to input JavaScript payload like <script>alert('XSS')</script> and see if it persists

Check Version:

Check the version number in the projectSend admin panel or read the version file in the installation directory

Verify Fix Applied:

After patching, repeat the test above - JavaScript should be sanitized or rejected

📡 Detection & Monitoring

Log Indicators:

Unusual admin login patterns
Multiple failed admin login attempts
Admin account accessing custom assets page from unusual locations

Network Indicators:

HTTP requests containing JavaScript payloads in custom assets parameters
Unusual outbound connections from the projectSend server

SIEM Query:

source="projectsend_logs" AND (message="custom_assets" OR message="admin_login") AND status="success"

📊 Metadata

CVE ID: CVE-2023-53906

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.3th percentile)

Published: December 17, 2025

Last Updated: December 27, 2025

🔗 References

https://www.exploit-db.com/exploits/51518 Exploit,Third Party Advisory
https://www.projectsend.org/ Product
https://www.vulncheck.com/advisories/projectsend-stored-cross-site-scripting-via-custom-assets-page Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/51518 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53906, you might also want to check these: