CVE-2023-53980
BaseFortify
Publication date: 2025-12-22
Last updated on: 2025-12-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectsend | projectsend | r1605 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53980 is a remote code execution vulnerability in ProjectSend version r1605. It allows attackers to upload malicious shell script files by manipulating file extensions during the upload process via the upload.process.php endpoint. Attackers bypass file extension restrictions by appending a semicolon and a permitted extension (e.g., .jpg) to the malicious file name, enabling the server to accept and store the file. Then, by renaming the file to remove the benign extension, the attacker can execute arbitrary commands on the server, gaining remote code execution capabilities. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts, including allowing attackers to execute arbitrary commands on the server hosting ProjectSend. This can lead to full remote control over the server, data theft, data manipulation, service disruption, or further attacks within the network. Since the exploit requires low privileges and no user interaction, it poses a high risk to affected systems. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious file uploads to the /includes/upload.process.php endpoint, especially files with manipulated extensions such as filenames containing shell script extensions followed by a semicolon and another extension (e.g., openme.sh;jpg). You can check your web server logs for POST requests to /includes/upload.process.php with such filenames. Additionally, look for HTTP POST requests to /files-edit.php?ids= that rename files to executable extensions. Commands to detect suspicious files on the server might include: 1) Searching for files with suspicious extensions or semicolons in filenames: `find /path/to/upload/directory -name '*;*'` 2) Checking web server access logs for suspicious POST requests: `grep 'upload.process.php' /var/log/apache2/access.log | grep -E '\.sh;|\.php;'` 3) Monitoring network connections for unexpected reverse shell activity, e.g., using `netstat -anp | grep 4444` or similar to detect connections to attacker IPs and ports. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict or disable file uploads to the /includes/upload.process.php endpoint until a patch is applied. 2) Implement strict validation and sanitization of uploaded file names and extensions to prevent manipulation such as semicolons or multiple extensions. 3) Apply access controls to prevent execution of uploaded files, for example, by configuring the web server to disallow execution in upload directories. 4) Monitor and remove any suspicious files already uploaded with manipulated extensions. 5) Update ProjectSend to a version where this vulnerability is fixed once available. 6) Consider network-level protections such as firewall rules to block outgoing connections to suspicious IPs and ports used by reverse shells. [1, 2]