← Zuruck zu CVEs

CVE-2024-11680

CRITICALCISA KEV

9.8

Beschreibung

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht11/26/2024

Zuletzt geandert10/31/2025

Quellekev

Honeypot-Sichtungen0

CISA KEV

HerstellerProjectSend

ProduktProjectSend

SchwachstellennameProjectSend Improper Authentication Vulnerability

KEV Aufnahmedatum2024-12-03

Behebungsfrist2024-12-24

Ransomware-NutzungUnknown

Betroffene Produkte

projectsend:projectsend

Schwachen (CWE)

CWE-306CWE-306

Referenzen

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml(disclosure@vulncheck.com)

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744(disclosure@vulncheck.com)

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb(disclosure@vulncheck.com)

https://vulncheck.com/advisories/projectsend-bypass(disclosure@vulncheck.com)

https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf(disclosure@vulncheck.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.