CVE-2021-47947
Stored XSS in ProjectSend File Name Parameter
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47947 is a stored cross-site scripting (XSS) vulnerability found in ProjectSend version r1295. It occurs in the files-edit.php file where authenticated attackers can inject malicious JavaScript code by submitting crafted input in the 'name' parameter of a file.
The injected scripts are stored and later executed in the browsers of other users, especially affecting System Administrator users when they view the file on the Dashboard page.
How can this vulnerability impact me? :
This vulnerability allows attackers with authenticated access to inject malicious scripts that execute in the browsers of other users, potentially leading to unauthorized actions or data exposure.
Since the scripts execute particularly on System Administrator users' browsers, it could lead to privilege escalation, session hijacking, or other malicious activities that compromise the security and integrity of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for stored cross-site scripting (XSS) in the 'name' parameter of the files-edit.php page in ProjectSend r1295. An authenticated user can attempt to submit crafted input containing JavaScript payloads in the file name field and then verify if the script executes when the file is viewed by other users, especially System Administrator users on the Dashboard page.
To detect this on your system, you can use web application testing tools or manual testing by submitting payloads such as <script>alert('XSS')</script> in the file name field and observing if the alert executes.
There are no specific commands provided in the available resources, but general approaches include using curl or browser developer tools to submit and inspect the response, or using automated scanners that detect stored XSS vulnerabilities.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the files-edit.php page to trusted authenticated users only, especially limiting System Administrator access until a patch is applied.
Additionally, avoid accepting untrusted input in the 'name' parameter or sanitize and validate all input to prevent script injection.
Since the vulnerability is in ProjectSend r1295, check for any available updates or patches from the ProjectSend official site or security advisories and apply them as soon as possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.