← Back to CVEs

CVE-2024-11680

CRITICALCISA KEV

9.8

Description

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published11/26/2024

Last Modified10/31/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorProjectSend

ProductProjectSend

Vulnerability NameProjectSend Improper Authentication Vulnerability

KEV Date Added2024-12-03

Remediation Due Date2024-12-24

Ransomware UseUnknown

Affected Products

projectsend:projectsend

Weaknesses (CWE)

CWE-306CWE-306

References

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml(disclosure@vulncheck.com)

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744(disclosure@vulncheck.com)

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb(disclosure@vulncheck.com)

https://vulncheck.com/advisories/projectsend-bypass(disclosure@vulncheck.com)

https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf(disclosure@vulncheck.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.