2018-10-29 13:29:01 2018-12-06 18:47:55

ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.