CVE-2015-2564

ProjectSend r561 - Authenticated SQL Injection via ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2564. PoCs published by ITAS Team.

AI-analyzed exploit summary This is a writeup detailing a SQL injection vulnerability in ProjectSend r561. The vulnerability exists in the 'id' parameter of the 'users-edit.php' file, where user input is not properly sanitized before being used in a SQL query.

Description

SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to users-edit.php.

Exploits (1)

exploitdb WRITEUP
by ITAS Team · textwebappsphp
https://www.exploit-db.com/exploits/36303

This is a writeup detailing a SQL injection vulnerability in ProjectSend r561. The vulnerability exists in the 'id' parameter of the 'users-edit.php' file, where user input is not properly sanitized before being used in a SQL query.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: ProjectSend r561
Auth required
Prerequisites: Valid session cookies · Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/36303
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Mar/30
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534832/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/119169

Scores

EPSS 0.0313
EPSS Percentile 86.2%

Details

CWE
CWE-89
Status published
Products (1)
projectsend/projectsend 561
Published Mar 20, 2015
Tracked Since Feb 18, 2026