{"id":"CVE-2021-40884","details":"Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application.","modified":"2026-03-14T11:10:54.425633Z","published":"2021-10-11T11:15:09.547Z","references":[{"type":"EVIDENCE","url":"https://github.com/projectsend/projectsend/issues/992"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/projectsend/projectsend","events":[{"introduced":"0"},{"last_affected":"1ec836a08d8c71d1347cc08552ee7b3bd218f21f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"r1295"}]}}],"versions":["r1053","r1070","r1270","r1295","r559","r753","r754","r756"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40884.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}