CVE-2024-11680
ProjectSend Improper Authentication Vulnerability
CVSS
9.8
Crítico
EPSS
91.6%
p100
KEV
SÍ
3 dic 2024
Exploit Today
80
0-100
Publicado: 26 nov 2024 · Última mod.: 14 jul 2026 · CWE-306
Producto
ProjectSend / ProjectSend
Vulnerabilidad
ProjectSend Improper Authentication Vulnerability
Añadido a KEV
3 dic 2024
Remediar antes de
24 dic 2024
Uso conocido en ransomware
No
Descripción resumida
ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Acción requerida
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notas
https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744 ; https://nvd.nist.gov/vuln/detail/CVE-2024-11680
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
- github.comhttps://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
- github.comhttps://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
- github.comhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
- vulncheck.comhttps://vulncheck.com/advisories/projectsend-bypass
- www.synacktiv.comhttps://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
- www.cisa.govhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680