CVE-2023-53930 – CVE-2023-53930 is an insecure direct object ref... (How to Fix)

Q: What is the severity of CVE-2023-53930?

CVE-2023-53930 has a CVSS score of 7.5 (HIGH). CVE-2023-53930 is an insecure direct object reference vulnerability in ProjectSend r1605 that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in download requests to process.php. All ProjectSend r1605 installations with private file sharing enabled are affected.

📋 TL;DR

CVE-2023-53930 is an insecure direct object reference vulnerability in ProjectSend r1605 that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in download requests to process.php. All ProjectSend r1605 installations with private file sharing enabled are affected.

💻 Affected Systems

Products:

ProjectSend

Versions: r1605

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of ProjectSend r1605 are vulnerable by default when private file sharing is enabled.

📦 What is this software?

Projectsend by Projectsend

View all CVEs affecting Projectsend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all private files stored in the system, including sensitive documents, credentials, or proprietary data, leading to data breaches, regulatory violations, and reputational damage.

🟠

Likely Case

Unauthorized access to private files belonging to multiple users, potentially exposing confidential business documents, personal information, or intellectual property.

🟢

If Mitigated

Limited exposure if proper access controls, network segmentation, and monitoring are in place, but vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires simple parameter manipulation in HTTP requests to process.php with modified 'id' parameter values.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: r1606 and later

Vendor Advisory: https://www.projectsend.org/

Restart Required: No

Instructions:

1. Download latest ProjectSend version from projectsend.org 2. Backup current installation 3. Replace files with new version 4. Verify functionality

🔧 Temporary Workarounds

Access Control Enhancement

all

Implement additional authentication checks before file download operations

Modify process.php to validate user session and file ownership before serving downloads

Parameter Validation

all

Add server-side validation for download ID parameters

Implement input validation and authorization checks for all file download requests

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious download parameter patterns
Restrict network access to ProjectSend instance and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Test by accessing process.php with modified 'id' parameters to attempt unauthorized file downloads

Check Version:

Check ProjectSend version in admin panel or version.php file

Verify Fix Applied:

Verify that modified 'id' parameters no longer allow unauthorized file access and proper authentication checks are enforced

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful file downloads
Unusual download patterns from single IP addresses
Access to process.php with sequential or unusual ID parameters

Network Indicators:

HTTP requests to process.php with manipulated ID parameters
Unusual download traffic patterns

SIEM Query:

source="web_server" AND uri="/process.php" AND (id_parameter_changes OR failed_auth_before_download)

📊 Metadata

CVE ID: CVE-2023-53930

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

EPSS Score: 0.05% exploit probability (14th percentile)

Published: December 17, 2025

Last Updated: December 27, 2025

🔗 References

https://www.exploit-db.com/exploits/51400 Exploit,Third Party Advisory
https://www.projectsend.org/ Product
https://www.vulncheck.com/advisories/projectsend-insecure-direct-object-reference-file-download-vulnerability Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/51400 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53930, you might also want to check these: