ProjectSend r754 suffers from authentication bypass and insecure direct object reference vulnerabilities.