Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2014-9567

Severity CVSS v4.0:
Pending analysis
Type:
CWE-94 Code Injection
Publication date:
07/01/2015
Last modified:
12/04/2025

Description

Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.

Impact

Vector 2.0
AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS v2.0 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): Physical
Availability (A): Physical

Base Score 2.0
7.50
Severity 2.0
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:projectsend:projectsend:100:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:102:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:105:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:110:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:155:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:156:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:157:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:161:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:180:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:335:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:375:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:405:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:412:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:514:*:*:*:*:*:*:*
cpe:2.3:a:projectsend:projectsend:561:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools