CVE-2021-47947

MEDIUM

Projectsend r1295 Stored Cross-Site Scripting via files-edit.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47947. PoCs published by Abdullah Kala.

AI-analyzed exploit summary This is a functional proof-of-concept for a stored XSS vulnerability in Projectsend r1295. The exploit demonstrates how an attacker can inject malicious JavaScript into the 'name' field of a file edit request, which is then executed when viewed by a System Administrator on the Dashboard page.

Description

Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.

Exploits (1)

exploitdb WORKING POC

by Abdullah Kala · textwebappsphp

https://www.exploit-db.com/exploits/50240

View Code ZIP pw:eip

This is a functional proof-of-concept for a stored XSS vulnerability in Projectsend r1295. The exploit demonstrates how an attacker can inject malicious JavaScript into the 'name' field of a file edit request, which is then executed when viewed by a System Administrator on the Dashboard page.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Projectsend r1295

Auth required

Prerequisites: Valid session cookie (PHPSESSID) · Access to the file edit functionality · A created client group

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 10, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-50240

https://www.exploit-db.com/exploits/50240

Product product

Official Product Homepage

https://www.projectsend.org/

Product product

Product Reference

https://www.projectsend.org/download/387/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Projectsend r1295 Stored Cross-Site Scripting via files-edit.php

https://www.vulncheck.com/advisories/projectsend-r1295-stored-cross-site-scripting-via-files-edit-php

Scores

CVSS v3 6.4

EPSS 0.0020

EPSS Percentile 10.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Projectsend/Projectsend r1295

Published May 10, 2026

Tracked Since May 10, 2026