CVE-2023-53905— ProjectSend r1605 CSV Injection via User Account Export Functionality
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-53905
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ProjectSend r1605 CSV Injection via User Account Export Functionality
Source: NVD (National Vulnerability Database)
Vulnerability Description
ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1236
Source: NVD (National Vulnerability Database)
Vulnerability Title
ProjectSend 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ProjectSend(cFTP)是ProjectSend开源的一套基于PHP和MySQL的自托管应用程序。 ProjectSend(cFTP) r1605版本存在安全漏洞,该漏洞源于用户配置文件名称字段清理不当,可能导致CSV注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| projectSend | projectSend | r1605 | - |
II. Public POCs for CVE-2023-53905
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-53905
请登录查看更多情报信息。
Same Patch Batch · projectSend · 2025-12-17 · 3 CVEs total
| CVE-2023-53930 | 7.5 HIGH | ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability |
| CVE-2023-53906 | 4.8 MEDIUM | ProjectSend r1605 Stored Cross-Site Scripting via Custom Assets Page |
IV. Related Vulnerabilities
Same product: projectSend
- CVE-2021-47947
Projectsend r1295 Stored Cross-Site Scripting via files-edit - CVE-2026-5624
ProjectSend upload.php cross-site request forgery - CVE-2026-4045
projectsend Auth.php response discrepancy - CVE-2026-4044
projectsend Delete import-orphans.php realpath path traversa - CVE-2026-3977
projectsend AJAX Endpoints authorization
Same vendor: projectSend
- CVE-2021-47947
Projectsend r1295 Stored Cross-Site Scripting via files-edit - CVE-2023-53980
ProjectSend r1605 Remote Code Execution via File Extension M - CVE-2023-53930
ProjectSend r1605 Insecure Direct Object Reference File Down - CVE-2023-53906
ProjectSend r1605 Stored Cross-Site Scripting via Custom Ass - CVE-2024-11680
ProjectSend Unauthenticated Configuration Modification
Same weakness: CWE-1236
- CVE-2026-42267
Kimai: Formula Injection via tag names in XLSX export - CVE-2026-27644
traccar allows CSV formula injection via exported position d - CVE-2023-54348
ERPGo SaaS 3.9 CSV Injection via Vendor Creation - CVE-2026-39424
MaxKB has CSV Injection in its Application Chat Export Funct - CVE-2026-24447
Movable Type 安全漏洞
V. Comments for CVE-2023-53905
No comments yet