CVE-2024-11680: ProjectSend Unauthenticated Configuration Modification

9.8 CVSS

Description

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Known Exploited

🚨 Marked as known exploited on December 3rd, 2024 (5 months ago).

Classification

CVE ID: CVE-2024-11680

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector:

Affected Products

Vendor: ProjectSend

Product: ProjectSend

Nuclei Template

http/cves/2024/CVE-2024-11680.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 46.82% (probability of being exploited)

EPSS Percentile: 97.57% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
https://vulncheck.com/advisories/projectsend-bypass

Timeline

2024-11-27 14:41:48 UTC
CVE

ProjectSend Unauthenticated Configuration Modification
2024-12-03 15:20:41 UTC
🚨 Marked as Known Exploited
2024-12-03 15:20:49 UTC
CISA KEV

ProjectSend Improper Authentication Vulnerability
2024-12-12 23:00:18 UTC
DarkWebInformer

CVE-2024-11680 PoC Exploit in ProjectSend r1605 and Older Versions