CVE-2023-53906
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-27

Assigner: VulnCheck

Description
projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectsend projectsend r1605
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in projectSend r1605. Authenticated administrators can inject malicious JavaScript code through the custom assets configuration page. When other users load the affected page, the injected script executes, allowing persistent script injection.

Impact Analysis

The vulnerability can allow attackers to execute malicious scripts in the context of other users' browsers. This can lead to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users, potentially compromising the security and integrity of the application and its users.

Detection Guidance

To detect this vulnerability, you can verify if the projectSend instance is running version r1605 and check for the presence of malicious JavaScript injected via the custom assets page. One approach is to log in as an authenticated admin and inspect the custom assets at `/custom-assets.php` or `/custom-assets-add.php?language=js` for suspicious JavaScript payloads such as alert("XSS"). You can also monitor HTTP POST requests to `/custom-assets-add.php` containing parameters like `language=js`, `content` with JavaScript code, and `location=public`. For example, using curl to fetch the custom assets page and grep for suspicious scripts: `curl -s -b cookies.txt https://yourprojectsend/custom-assets.php | grep '<script>'`. Additionally, reviewing logs for POST requests injecting JavaScript payloads can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting admin access to trusted users only, as the vulnerability requires authenticated administrator privileges to inject malicious scripts. Disable or restrict the use of the custom assets feature if possible. Apply input validation and sanitization on the custom assets configuration page to prevent JavaScript injection. If a patch or updated version is available from the vendor, apply it promptly. Additionally, monitor and audit custom assets for unauthorized or suspicious JavaScript code and remove any malicious entries. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart