CVE-2021-47947
Received Received - Intake
Stored XSS in ProjectSend File Name Parameter

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-21
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-20
NVD
CVE-2021-47947
EUVD
EUVD-2021-34807
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectsend projectsend r1295
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47947 is a stored cross-site scripting (XSS) vulnerability found in ProjectSend version r1295. It occurs in the files-edit.php file where authenticated attackers can inject malicious JavaScript code by submitting crafted input in the 'name' parameter of a file.

The injected scripts are stored and later executed in the browsers of other users, especially affecting System Administrator users when they view the file on the Dashboard page.

Impact Analysis

This vulnerability allows attackers with authenticated access to inject malicious scripts that execute in the browsers of other users, potentially leading to unauthorized actions or data exposure.

Since the scripts execute particularly on System Administrator users' browsers, it could lead to privilege escalation, session hijacking, or other malicious activities that compromise the security and integrity of the system.

Detection Guidance

This vulnerability can be detected by testing for stored cross-site scripting (XSS) in the 'name' parameter of the files-edit.php page in ProjectSend r1295. An authenticated user can attempt to submit crafted input containing JavaScript payloads in the file name field and then verify if the script executes when the file is viewed by other users, especially System Administrator users on the Dashboard page.

To detect this on your system, you can use web application testing tools or manual testing by submitting payloads such as <script>alert('XSS')</script> in the file name field and observing if the alert executes.

There are no specific commands provided in the available resources, but general approaches include using curl or browser developer tools to submit and inspect the response, or using automated scanners that detect stored XSS vulnerabilities.

Mitigation Strategies

Immediate mitigation steps include restricting access to the files-edit.php page to trusted authenticated users only, especially limiting System Administrator access until a patch is applied.

Additionally, avoid accepting untrusted input in the 'name' parameter or sanitize and validate all input to prevent script injection.

Since the vulnerability is in ProjectSend r1295, check for any available updates or patches from the ProjectSend official site or security advisories and apply them as soon as possible.

Compliance Impact

The provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart