CVE-2025-13232
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in ProjectSend's File Editor/Custom Download Aliases component. Attackers can inject malicious scripts that execute in users' browsers when they access manipulated content. All ProjectSend installations up to version r1720 are affected.
💻 Affected Systems
- ProjectSend
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface the application.
Likely Case
Session hijacking leading to unauthorized file access or data theft from authenticated users.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though XSS could still affect user experience.
🎯 Exploit Status
Exploit has been published and is remotely executable. Attack requires user interaction to trigger the XSS payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: r1945
Vendor Advisory: https://github.com/projectsend/projectsend/releases/tag/r1945
Restart Required: No
Instructions:
1. Backup your current ProjectSend installation and database. 2. Download version r1945 from the official repository. 3. Replace the existing files with the new version. 4. Verify the patch commit 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845 is present.
🔧 Temporary Workarounds
Disable File Editor/Custom Download Aliases
allTemporarily disable the vulnerable component if not required for operations.
# Check ProjectSend configuration for component disable options
# Modify configuration files to disable the File Editor feature
Implement WAF Rules
allDeploy web application firewall rules to block XSS payloads targeting the vulnerable endpoints.
# Example ModSecurity rule: SecRule ARGS "<script" "id:1001,phase:2,deny,msg:'XSS Attack Detected'"
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate script execution
- Deploy input validation and output encoding at the application layer
🔍 How to Verify
Check if Vulnerable:
Check your ProjectSend version. If it's r1720 or earlier, you are vulnerable. Review the File Editor/Custom Download Aliases component for unescaped user input.Check Version:
grep -r 'define.*VERSION' /path/to/projectsend/ or check the admin panelVerify Fix Applied:
Verify the patch commit 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845 exists in your installation. Test the File Editor functionality with XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to File Editor endpoints with script tags or JavaScript payloads
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script>, javascript:, or other XSS vectors targeting /files/edit or similar paths
SIEM Query:
source="web_logs" AND (uri_path="/files/edit" OR uri_path="/custom-aliases") AND (request_body CONTAINS "<script" OR request_body CONTAINS "javascript:")🔗 References
- https://github.com/projectsend/projectsend/
- https://github.com/projectsend/projectsend/commit/334da1ea39cb12f6b6e98dd2f80bb033e0c7b845
- https://github.com/projectsend/projectsend/pull/1450
- https://github.com/projectsend/projectsend/releases/tag/r1945
- https://vuldb.com/?ctiid.332558
- https://vuldb.com/?id.332558
- https://vuldb.com/?submit.686533
