{"id":"CVE-2021-40888","details":"Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code.","modified":"2026-04-10T04:38:06.512051Z","published":"2021-10-11T11:15:09.673Z","references":[{"type":"ADVISORY","url":"https://github.com/projectsend/projectsend/releases/tag/r1295"},{"type":"EVIDENCE","url":"https://github.com/projectsend/projectsend/issues/995"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/projectsend/projectsend","events":[{"introduced":"0"},{"last_affected":"1ec836a08d8c71d1347cc08552ee7b3bd218f21f"},{"fixed":"1ec836a08d8c71d1347cc08552ee7b3bd218f21f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"r1295"}]}}],"versions":["r1053","r1070","r1270","r1295","r559","r753","r754","r756"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40888.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}