Vulnerabilities ›

CVE-2021-47947

Medium

CWE-79 — Weakness Type

                    Published: May 10, 2026                      ·  Modified: May 13, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.

🤖 AI Executive Summary

CVE-2021-47947 is a stored XSS vulnerability in ProjectSend r1295 affecting the file name parameter in files-edit.php. Authenticated attackers can inject malicious JavaScript that executes when other users, particularly administrators, view files on the Dashboard. With no available patch and medium CVSS score of 6.4, this poses a significant risk to organizations using ProjectSend for secure file sharing, especially in Saudi government and enterprise environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 16:21

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government agencies, financial institutions, and enterprises using ProjectSend for secure document management and file sharing. High-risk sectors include: (1) Government entities under NCA oversight using ProjectSend for inter-agency file sharing; (2) Banking sector (SAMA-regulated) if ProjectSend is used for internal document distribution; (3) Healthcare organizations sharing patient records; (4) Energy sector (ARAMCO and subsidiaries) for technical documentation sharing; (5) Telecommunications companies (STC, Mobily) for internal communications. The stored XSS targeting administrators creates privilege escalation risks and potential lateral movement opportunities within organizational networks.

🏢 Affected Saudi Sectors

Government Banking Healthcare Energy Telecommunications Education Legal Services

🎯 MITRE ATT&CK Techniques

T1059 - Command and Scripting Interpreter (JavaScript execution) T1566 - Phishing (malicious file names as social engineering vector) T1204 - User Execution (user clicks on malicious file) T1539 - Steal Web Session Cookie (via XSS payload) T1056 - Input Capture (keylogging via injected scripts) T1098 - Account Manipulation (privilege escalation targeting admins)

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all ProjectSend instances in your environment and identify version r1295 deployments

2. Review file names in the system for suspicious JavaScript patterns (e.g., <script>, onerror=, onclick=)

3. Restrict file upload and editing permissions to trusted users only

4. Implement Web Application Firewall (WAF) rules to block XSS payloads in file name parameters



Compensating Controls:

1. Deploy input validation: sanitize and validate all file name inputs, removing or encoding special characters (<, >, ", ', etc.)

2. Implement Content Security Policy (CSP) headers to prevent inline script execution

3. Enable HTTP-only and Secure flags on session cookies

4. Apply output encoding when displaying file names in HTML context

5. Restrict Dashboard access to authorized administrators only via IP whitelisting



Detection Rules:

1. Monitor files-edit.php for POST requests containing encoded script tags or event handlers in the 'name' parameter

2. Alert on file names containing: <script>, javascript:, onerror=, onclick=, onload=

3. Log and review all file edits by administrative accounts

4. Implement SIEM rules to detect multiple failed file access attempts followed by successful admin access



Long-term:

1. Migrate to actively maintained file-sharing solutions with security updates

2. Upgrade ProjectSend to latest patched version when available

3. Implement regular security code reviews for custom file-sharing implementations

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع حالات ProjectSend في بيئتك وتحديد نشرات الإصدار r1295

2. مراجعة أسماء الملفات في النظام بحثاً عن أنماط JavaScript المريبة (مثل <script>، onerror=، onclick=)

3. تقييد أذونات تحميل وتحرير الملفات للمستخدمين الموثوقين فقط

4. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر حمولات XSS في معاملات أسماء الملفات

الضوابط التعويضية:

1. نشر التحقق من الإدخال: تطهير والتحقق من صحة جميع مدخلات أسماء الملفات، وإزالة أو ترميز الأحرف الخاصة

2. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة

3. تفعيل علامات HTTP-only و Secure على ملفات تعريف الجلسة

4. تطبيق ترميز الإخراج عند عرض أسماء الملفات في سياق HTML

5. تقييد الوصول إلى لوحة التحكم للمسؤولين المصرح لهم فقط عبر القائمة البيضاء للعناوين

قواعد الكشف:

1. مراقبة files-edit.php للطلبات التي تحتوي على علامات نصية مشفرة أو معالجات أحداث في معامل 'name'

2. التنبيه على أسماء الملفات التي تحتوي على: <script>، javascript:، onerror=، onclick=، onload=

3. تسجيل ومراجعة جميع تعديلات الملفات بواسطة حسابات إدارية

4. تنفيذ قواعد SIEM للكشف عن محاولات وصول متعددة فاشلة متبوعة بوصول إداري ناجح

المدى الطويل:

1. الهجرة إلى حلول مشاركة الملفات المدعومة بنشاط مع تحديثات الأمان

2. ترقية ProjectSend إلى أحدث إصدار مصحح عند توفره

3. تنفيذ مراجعات أمان منتظمة للكود لتطبيقات مشاركة الملفات المخصصة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 - Secure development policy (input validation and output encoding requirements) A.14.2.5 - Secure development environment (vulnerability management) A.12.6.1 - Management of technical vulnerabilities (patch management) A.12.2.1 - User registration and access rights management (access control to file editing)

🔵 SAMA CSF

ID.GV-1 - Organizational cybersecurity policy and procedures PR.DS-1 - Data security and protection (input validation, output encoding) PR.PT-1 - Security awareness and training for file handling DE.CM-1 - Detection and analysis of anomalies and events (XSS detection)

🟡 ISO 27001:2022

A.6.1.1 - Information security policies (secure coding practices) A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.13.1.3 - Segregation of networks (WAF deployment)

🟣 PCI DSS v4.0.1

6.5.7 - Cross-site scripting (XSS) prevention 6.5.1 - Injection flaws prevention 11.2.2 - Vulnerability scanning and assessment

🔗 References & Sources 4

🔗

https://www.exploit-db.com/exploits/50240

disclosure@vulncheck.com

🔗

https://www.projectsend.org/

disclosure@vulncheck.com

🔗

https://www.projectsend.org/download/387/

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/projectsend-r1295-stored-cross-site-scripting-via-...

disclosure@vulncheck.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-10

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-47947

Introduce Yourself

Sign In Required