{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53980","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-12-20T16:31:20.899Z","datePublished":"2025-12-22T21:35:36.344Z","dateUpdated":"2026-03-05T12:03:24.363Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-05T12:03:24.363Z"},"datePublic":"2023-01-26T00:00:00.000Z","title":"ProjectSend r1605 Remote Code Execution via File Extension Manipulation","descriptions":[{"lang":"en","value":"ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Unrestricted Upload of File with Dangerous Type","cweId":"CWE-434","type":"CWE"}]}],"affected":[{"vendor":"ProjectSend","product":"projectSend","versions":[{"version":"r1605","status":"affected"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:projectsend:projectsend:r1720:*:*:*:*:*:*:*"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/51238","name":"ExploitDB-51238","tags":["exploit"]},{"url":"https://www.projectsend.org/","name":"Official Product Homepage","tags":["product"]},{"name":"VulnCheck Advisory: ProjectSend r1605 Remote Code Execution via File Extension Manipulation","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/projectsend-remote-code-execution-via-file-extension-manipulation"}],"credits":[{"lang":"en","value":"Mirabbas Ağalarov","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"references":[{"url":"https://www.exploit-db.com/exploits/51238","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-22T21:57:21.140894Z","id":"CVE-2023-53980","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-22T22:04:02.619Z"}}]}}