VDB
CVE-2024-11680
CVE-2024-11680
PUBLISHED
KEV
CVSS 9.800000190734863 CRITICAL
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
EPSS 93.49% · 99.8th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.49%
99.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ProjectSend | ProjectSend | 0, 0 |
| projectsend | projectsend | 0, 0, 0 |
| projectsend | projectsend | 0, 0 |
Timeline
- Jan 20, 1970 Metasploit Module
- Jan 21, 1970 Nuclei Template
- Jan 21, 1970 Fix Commit
- Jan 21, 1970 Metasploit Module
- Jun 17, 2024 CrowdSec Sighting
- Nov 21, 2024 PoC Published
- Nov 26, 2024 CVE Published
- Nov 26, 2024 PoC Published
- Nov 27, 2024 EPSS Score
- Nov 27, 2024 PoC Published
- Nov 27, 2024 PoC Published
- Nov 27, 2024 PoC Published
References
- https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744 patch
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf third-party-advisory
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb exploit
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml exploit
- https://vulncheck.com/advisories/projectsend-bypass third-party-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-11680 advisory