← Retour aux CVEs

CVE-2024-11680

CRITICALCISA KEV

9.8

Description

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie11/26/2024

Derniere modification10/31/2025

Sourcekev

Observations honeypot0

CISA KEV

FournisseurProjectSend

ProduitProjectSend

Nom vulnerabiliteProjectSend Improper Authentication Vulnerability

Date ajout KEV2024-12-03

Date limite remediation2024-12-24

Utilise dans ransomwareUnknown

Produits affectes

projectsend:projectsend

Faiblesses (CWE)

CWE-306CWE-306

References

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml(disclosure@vulncheck.com)

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744(disclosure@vulncheck.com)

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb(disclosure@vulncheck.com)

https://vulncheck.com/advisories/projectsend-bypass(disclosure@vulncheck.com)

https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf(disclosure@vulncheck.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.