Projectsend r572 suffers from a cross site scripting vulnerability.
cc435eb98777bd119341c098258b2689927d36a6df2cef54892ebf0eb790ce7a
Title: Projectsend r572 - Cross Site Scripting (Reflected)
Disclosed: 5/28/15
Vendor Patched: 6/6/15
Published: 6/10/15
Credit: Matt Landers - matt@mjltech.net
Original Advisory: www.mjltech.net/adv/MJLTECH%20-%20Projectsend%20R572%20XSS.txt
======================================================================
Confirmed Vulnerable: Projectsend R572
Vendor: http://www.projectsend.org/
Description from vendor website:
"ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that lets you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more depending on external services or e-mail to send those files!"
======================================================================
Vulnerable file: index.php
Vulnerable parameter: login_form_user
Description of vulnerability: The parameter 'login_form_user'is vulnerable to XSS via POST request.
Proof of Concept: POST http://www.********.com/index.php?login_form_user="><script>alert(1)</script>