← Voltar para CVEs

CVE-2024-11680

CRITICALCISA KEV

9.8

Descricao

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado11/26/2024

Ultima modificacao10/31/2025

Fontekev

Avistamentos honeypot0

CISA KEV

FornecedorProjectSend

ProdutoProjectSend

Nome da vulnerabilidadeProjectSend Improper Authentication Vulnerability

Data inclusao KEV2024-12-03

Prazo de remediacao2024-12-24

Uso em ransomwareUnknown

Produtos afetados

projectsend:projectsend

Fraquezas (CWE)

CWE-306CWE-306

Referencias

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml(disclosure@vulncheck.com)

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744(disclosure@vulncheck.com)

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb(disclosure@vulncheck.com)

https://vulncheck.com/advisories/projectsend-bypass(disclosure@vulncheck.com)

https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf(disclosure@vulncheck.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.