A critical vulnerability has been identified in ProjectSend, allowing unauthenticated attackers to download any private file stored on the system. This flaw, due to an insecure direct object reference, poses a severe risk of a complete data breach, as an attacker can systematically access all sensitive documents without needing valid credentials. Immediate patching is required to prevent the exposure of confidential information.

The vulnerability is an Insecure Direct Object Reference (IDOR) within the file download functionality. The application's process.php script accepts an 'id' parameter to identify which file to serve for download. Crucially, the application fails to perform an authorization check to verify that the user requesting the file has the necessary permissions to access it. An unauthenticated attacker can exploit this by sending a direct request to process.php and systematically iterating through numerical values for the 'id' parameter, allowing them to download any file hosted by the application, including those belonging to other users.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would result in a complete loss of data confidentiality for all files managed by the ProjectSend instance. The potential business impact includes the theft of intellectual property, exposure of sensitive customer or internal corporate documents, non-compliance with data protection regulations (such as GDPR or CCPA) leading to significant financial penalties, and severe reputational damage. The ease of exploitation and lack of required authentication make the risk of a breach extremely high.

Immediate Action: Update ProjectSend Multiple Products to the latest version. Check the vendor's security advisory for specific patch details and installation instructions. After patching, it is crucial to monitor for exploitation attempts and review historical access logs for signs of compromise.

Proactive Monitoring: Security teams should monitor web server access logs for an unusual volume of requests to the process.php file, particularly GET requests with sequentially incrementing 'id' parameter values originating from a single IP address. Additionally, monitor network traffic for anomalous data egress patterns that could indicate bulk file exfiltration.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to inspect, rate-limit, or block suspicious requests targeting the process.php endpoint. Restricting network access to the application, allowing connections only from trusted IP ranges, can also temporarily reduce the attack surface.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the direct threat to data confidentiality, this vulnerability must be addressed with the highest priority. We strongly recommend applying the vendor-supplied patch immediately to all affected ProjectSend instances. Although this CVE is not currently listed on the CISA KEV list, its severity and ease of exploitation make it a prime candidate for widespread attacks. Organizations should not delay remediation and should assume active exploitation is imminent.