CVE-2023-53930

HIGH

ProjectSend r1605 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53930. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in projectSend r1605, allowing unauthorized access to private files by manipulating the 'id' parameter in a GET request.

Description

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51400

This exploit demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in projectSend r1605, allowing unauthorized access to private files by manipulating the 'id' parameter in a GET request.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: projectSend r1605
No auth needed
Prerequisites: Access to the target application · Valid session cookie (PHPSESSID)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51400

Scores

CVSS v3 7.5
EPSS 0.0032
EPSS Percentile 23.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (2)
projectsend/projectsend r1605
projectSend/projectSend r1605
Published Dec 17, 2025
Tracked Since Feb 18, 2026