CVE-2021-47947: Projectsend r1295 Stored Cross-Site Scripting via files-edit.php
Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.
Security readout for executives and security teams
Plain-English summary
Projectsend r1295 allows a logged-in user to store malicious script in a file name. That script can run in another user's browser, especially an administrator viewing the Dashboard. The likely business impact is account misuse or data exposure through the victim's session, not direct server takeover.
Executive priority
Treat this as a moderate-priority web application risk. It requires authenticated access, but successful abuse could affect administrator sessions and sensitive file-management workflows. Prioritize if Projectsend is internet-facing or used by external clients.
Technical view
This is stored cross-site scripting in Projectsend r1295 via the files-edit.php name parameter. The CVSS vector indicates network access, low attack complexity, low privileges, changed scope, and limited confidentiality and integrity impact. The provided sources identify CWE-79 and do not name a fixed version.
Likely exposure
Exposure appears limited to Projectsend r1295 deployments where authenticated users can edit file names. Risk is higher when less-trusted clients, partners, or internal users can upload or rename files that administrators later view in the Dashboard.
Exploitation context
The source bundle includes an ExploitDB reference, so public exploit information exists. The CVE is not listed as KEV in the provided bundle, and no cited source here supports active exploitation in the wild.
Researcher notes
Evidence supports stored XSS in the name parameter of files-edit.php for Projectsend r1295. The bundle does not establish affected versions beyond r1295, a patched version, or active exploitation. Avoid assuming broader product impact without vendor confirmation.
Mitigation direction
Inventory Projectsend deployments and identify any running r1295.
Check Projectsend vendor guidance for a fixed release or recommended remediation.
Restrict Projectsend access to trusted authenticated users until remediated.
Review and remove suspicious file names containing markup or script-like content.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.