CVE-2021-47947 Overview
CVE-2021-47947 is a stored cross-site scripting (XSS) vulnerability in ProjectSend r1295, a self-hosted file-sharing application. Authenticated attackers can inject JavaScript payloads through the name parameter in files-edit.php. The malicious script is persisted server-side and executed in the browser of any user who later views the affected file. System Administrator users viewing the Dashboard page are particularly exposed because file listings render there by default. The flaw is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
An authenticated attacker can execute arbitrary JavaScript in an administrator's session, enabling session hijacking, privileged action abuse, and further account compromise within ProjectSend.
Affected Products
- ProjectSend r1295
- ProjectSend self-hosted file-sharing deployments running r1295
- Web browsers rendering file metadata served by vulnerable ProjectSend instances
Discovery Timeline
- 2026-05-10 - CVE-2021-47947 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47947
Vulnerability Analysis
The vulnerability resides in files-edit.php, which accepts user-controlled input for the file name field without proper output encoding. ProjectSend stores the supplied value and later renders it inside HTML contexts such as the Dashboard file list. Because the application does not neutralize HTML or JavaScript metacharacters, an attacker can place a payload like an inline <script> block or an event handler attribute inside the file name. When another authenticated user, including a System Administrator, loads the page that lists the file, the browser parses the stored markup and executes the script in the context of the victim's session.
The issue is classified as stored XSS [CWE-79]. Exploitation requires an authenticated account that is permitted to upload or edit files. Once persisted, the payload triggers for every viewer of the affected resource until the entry is sanitized or removed.
Root Cause
The root cause is missing output encoding and inadequate input sanitization on the name parameter handled by files-edit.php. ProjectSend r1295 stores the raw value in its database and reflects it back into HTML without escaping characters such as <, >, ", and '. The application also lacks a strict Content Security Policy that would mitigate inline script execution.
Attack Vector
The attack vector is network-based and requires low-privilege authentication plus user interaction by a victim viewing the file listing. An attacker uploads or edits a file and supplies a name value containing a JavaScript payload. The payload is stored server-side. When a higher-privileged user, such as a System Administrator, opens the Dashboard, the browser executes the attacker's script. The attacker can steal session cookies, perform actions on behalf of the administrator, or pivot to other application functionality. See the VulnCheck Advisory on ProjectSend and Exploit-DB #50240 for technical details.
Detection Methods for CVE-2021-47947
Indicators of Compromise
- File entries in the ProjectSend database whose name column contains HTML tags, <script> blocks, onerror, onload, or javascript: URIs.
- Web server access logs showing POST requests to files-edit.php with name parameter values containing angle brackets or URL-encoded script payloads.
- Outbound network connections from administrator browsers to attacker-controlled domains shortly after viewing the Dashboard.
Detection Strategies
- Query the ProjectSend file metadata tables for rows where the name field matches regex patterns for HTML or JavaScript syntax.
- Inspect HTTP request bodies to files-edit.php for encoded payloads such as %3Cscript%3E or attribute breakouts.
- Review browser console errors and Content Security Policy violation reports from administrator sessions.
Monitoring Recommendations
- Enable web application firewall logging for all requests to files-edit.php and alert on payloads matching XSS signatures.
- Monitor administrator authentication sessions for anomalous activity following Dashboard access, including unexpected user creations or permission changes.
- Aggregate ProjectSend and web server logs into a centralized analytics pipeline for cross-correlation of upload events and subsequent administrator activity.
How to Mitigate CVE-2021-47947
Immediate Actions Required
- Upgrade ProjectSend to a release later than r1295 that addresses the stored XSS issue. Consult the ProjectSend Official Site and the ProjectSend Download page for current builds.
- Audit existing file entries and remove or sanitize any name values containing HTML or JavaScript syntax.
- Rotate session cookies and credentials for administrator accounts that may have viewed malicious file entries.
Patch Information
Upgrade to a ProjectSend version newer than r1295. Refer to the VulnCheck Advisory on ProjectSend for fix references and to the ProjectSend Official Site for the latest release notes. Restrict file upload and edit permissions to trusted users until patching is complete.
Workarounds
- Restrict access to files-edit.php to a limited set of trusted authenticated users via web server access control rules.
- Deploy a web application firewall rule that blocks requests to files-edit.php whose name parameter contains <, >, or known XSS keywords such as script, onerror, or javascript:.
- Enforce a strict Content Security Policy that disallows inline scripts and limits script sources, reducing impact if a payload is stored.
- Require administrators to use isolated browser profiles when managing ProjectSend, limiting cookie reuse across sessions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
