Overview
CVE-2025-13232 describes a Cross-Site Scripting (XSS) vulnerability discovered in ProjectSend, a popular self-hosted file sharing application. This vulnerability affects versions up to and including r1720. Exploitation of this flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or the execution of arbitrary code in the context of the user’s browser. A patch is available and upgrading is strongly recommended.
Technical Details
The vulnerability resides within the File Editor/Custom Download Aliases component of ProjectSend. Specifically, an unknown function within this component is susceptible to manipulation that allows for XSS attacks. The attack can be performed remotely, making it a significant risk to exposed ProjectSend instances. The exploit is publically available, further increasing the urgency of patching this vulnerability. The vulnerable code was patched with commit 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845.
CVSS Analysis
- CVE ID: CVE-2025-13232
- Severity: LOW
- CVSS Score: 3.5
A CVSS score of 3.5 indicates a LOW severity vulnerability. While the impact can be significant if exploited, the exploitability is likely to be more complex or require specific conditions to be met. However, because the exploit is publicly available, admins should not delay in patching their systems.
Possible Impact
Successful exploitation of CVE-2025-13232 could lead to:
- Session Hijacking: Attackers can steal user session cookies, gaining unauthorized access to user accounts.
- Website Defacement: Malicious scripts can alter the appearance of the ProjectSend interface, damaging the website’s reputation.
- Malware Distribution: Attackers can inject scripts that redirect users to malicious websites or download malware onto their computers.
- Data Theft: While not a direct data breach vulnerability, XSS can be chained with other exploits to potentially exfiltrate sensitive data.
Mitigation and Patch Steps
The recommended mitigation is to upgrade ProjectSend to version r1945 or later. This version includes the necessary patch to address the XSS vulnerability.
- Backup Your Installation: Before upgrading, create a full backup of your ProjectSend database and files.
- Download the Latest Version: Download ProjectSend r1945 from the official releases page: ProjectSend r1945 Release
- Follow Upgrade Instructions: Carefully follow the upgrade instructions provided in the ProjectSend documentation.
- Verify the Patch: After upgrading, verify that the patch has been applied successfully. This can be done by inspecting the code or by attempting to trigger the vulnerability (after backing up the installation).
References
- Commit Patch: https://github.com/projectsend/projectsend/commit/334da1ea39cb12f6b6e98dd2f80bb033e0c7b845
- Pull Request: https://github.com/projectsend/projectsend/pull/1450
- ProjectSend Release r1945: https://github.com/projectsend/projectsend/releases/tag/r1945
- VulDB Entry: https://vuldb.com/?ctiid.332558
- VulDB ID: https://vuldb.com/?id.332558
- VulDB Submit: https://vuldb.com/?submit.686533
