Vulnerability Details CVE-2024-11680
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.936
EPSS Ranking 99.8%
CVSS Severity
CVSS v3 Score 9.8
Proposed Action
ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Ransomware Campaign
Unknown
References
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
- https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
- https://vulncheck.com/advisories/projectsend-bypass
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
Products affected by CVE-2024-11680
-
cpe:2.3:a:projectsend:projectsend:100
-
cpe:2.3:a:projectsend:projectsend:102
-
cpe:2.3:a:projectsend:projectsend:105
-
cpe:2.3:a:projectsend:projectsend:1053
-
cpe:2.3:a:projectsend:projectsend:1070
-
cpe:2.3:a:projectsend:projectsend:110
-
cpe:2.3:a:projectsend:projectsend:155
-
cpe:2.3:a:projectsend:projectsend:156
-
cpe:2.3:a:projectsend:projectsend:157
-
cpe:2.3:a:projectsend:projectsend:161
-
cpe:2.3:a:projectsend:projectsend:180
-
cpe:2.3:a:projectsend:projectsend:335
-
cpe:2.3:a:projectsend:projectsend:375
-
cpe:2.3:a:projectsend:projectsend:405
-
cpe:2.3:a:projectsend:projectsend:412
-
cpe:2.3:a:projectsend:projectsend:514
-
cpe:2.3:a:projectsend:projectsend:559
-
cpe:2.3:a:projectsend:projectsend:561
-
cpe:2.3:a:projectsend:projectsend:582
-
cpe:2.3:a:projectsend:projectsend:753
-
cpe:2.3:a:projectsend:projectsend:754
-
cpe:2.3:a:projectsend:projectsend:756
-
cpe:2.3:a:projectsend:projectsend:r1053
-
cpe:2.3:a:projectsend:projectsend:r1070
-
cpe:2.3:a:projectsend:projectsend:r1270
-
cpe:2.3:a:projectsend:projectsend:r1295
-
cpe:2.3:a:projectsend:projectsend:r1335
-
cpe:2.3:a:projectsend:projectsend:r1415
-
cpe:2.3:a:projectsend:projectsend:r1420
-
cpe:2.3:a:projectsend:projectsend:r1584
-
cpe:2.3:a:projectsend:projectsend:r1605
-
cpe:2.3:a:projectsend:projectsend:r375
-
cpe:2.3:a:projectsend:projectsend:r405
-
cpe:2.3:a:projectsend:projectsend:r412
-
cpe:2.3:a:projectsend:projectsend:r514
-
cpe:2.3:a:projectsend:projectsend:r559
-
cpe:2.3:a:projectsend:projectsend:r561
-
cpe:2.3:a:projectsend:projectsend:r571
-
cpe:2.3:a:projectsend:projectsend:r572
-
cpe:2.3:a:projectsend:projectsend:r582
-
cpe:2.3:a:projectsend:projectsend:r609
-
cpe:2.3:a:projectsend:projectsend:r753
-
cpe:2.3:a:projectsend:projectsend:r754
-
cpe:2.3:a:projectsend:projectsend:r756