CVE-2021-47947 Exploit Db CVE debrief

Who should care

ProjectSend administrators and operators, especially environments where multiple authenticated users can edit or view files and where dashboard access is used by privileged staff.

Technical summary

The vulnerability is identified as CWE-79 (cross-site scripting). The supplied description says crafted input in the files-edit.php name parameter is stored and later rendered in a way that allows JavaScript execution in a browser. Because the attack requires authentication and user interaction, the practical risk centers on session exposure, privilege misuse, and administrative dashboard compromise.

Defensive priority

Medium. The issue requires authentication and user interaction, but it can impact privileged browser sessions and administrative workflows.

Recommended defensive actions

• Upgrade ProjectSend to a version that remediates CVE-2021-47947, or apply the vendor's fix if a patch is provided.
• Review files-edit.php and related file-name rendering paths for output encoding and context-appropriate escaping.
• Restrict file-editing permissions to the minimum necessary set of authenticated users.
• Treat file and metadata fields as untrusted input and validate, sanitize, and encode on output.
• Audit dashboard and admin-user workflows for stored XSS exposure, especially where file names are displayed.
• Use security headers such as a restrictive Content Security Policy to reduce script execution impact.

Evidence notes

The NVD-modified source item lists the issue as CVE-2021-47947 with CWE-79 and describes a stored XSS in ProjectSend r1295 via the files-edit.php name parameter. Its references include Exploit-DB 50240, the ProjectSend site/download page, and a VulnCheck advisory URL. This debrief relies only on that supplied record and description.

Official resources