CVE-2014-9580

ProjectSend r561 - Stored Cross-Site Scripting via File Upload Description Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9580. PoCs published by TaurusOmar.

AI-analyzed exploit summary This is a writeup describing XSS and full path disclosure vulnerabilities in ProjectSend r561. It includes proof-of-concept examples for both issues but does not contain executable exploit code.

Description

Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) r561 allows remote attackers to inject arbitrary web script or HTML via the Description field in a file upload. NOTE: this issue was originally incorrectly mapped to CVE-2014-1155; see CVE-2014-1155 for more information.

Exploits (1)

exploitdb WRITEUP

by TaurusOmar · textwebappsphp

https://www.exploit-db.com/exploits/35582

View Code ZIP pw:eip

This is a writeup describing XSS and full path disclosure vulnerabilities in ProjectSend r561. It includes proof-of-concept examples for both issues but does not contain executable exploit code.

Classification

Writeup 90%

Attack Type

Xss | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ProjectSend r561

No auth needed

Prerequisites: access to the file upload description field · ability to craft malicious URLs

MITRE ATT&CK

T1059.007 - JavaScript T1114 - Email Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/35582

Exploit x_refsource_misc

http://packetstormsecurity.com/files/129666

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/99550

Scores

EPSS 0.0322

EPSS Percentile 86.6%

Details

CWE

CWE-79

Status published

Products (1)

projectsend/projectsend 561

Published Jan 08, 2015

Tracked Since Feb 18, 2026