Arbitrary PHP Code Execution via dbprefix Parameter in ProjectSend r754

Arbitrary PHP Code Execution via dbprefix Parameter in ProjectSend r754

CVE-2017-9741 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

install/make-config.php in ProjectSend r754 allows remote attackers to execute arbitrary PHP code via the dbprefix parameter, related to replacing TABLES_PREFIX in the configuration file.

Learn more about our Web Application Penetration Testing UK.