I’ve identified a security concern within the self-hosted file sharing tool ProjectSend in the current version r1605. By exploiting a chain of vulnerabilities – including Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), and weaknesses in its change password implementation – an authenticated attacker can force a logged-in user to unknowingly change their account password, by clicking a link.
But let me explain the attack in detail.