CVE-2024-11680 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-11680 PUBLISHED KEV CVSS 9.800000190734863 CRITICAL

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

EPSS 93.49% · 99.8th percentile

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

93.49%

99.8th percentile

Affected Products

Vendor	Product	Versions
ProjectSend	ProjectSend	0
projectsend	projectsend	0, 0
projectsend	projectsend	0

Timeline

Jan 20, 1970 Metasploit Module
Jan 21, 1970 Nuclei Template
Jan 21, 1970 Fix Commit
Jan 21, 1970 Metasploit Module
Nov 21, 2024 PoC Published
Nov 26, 2024 CVE Published
Nov 26, 2024 PoC Published
Nov 27, 2024 EPSS Score
Nov 27, 2024 PoC Published
Dec 3, 2024 CISA KEV Added
Dec 3, 2024 PoC Published
Dec 3, 2024 PoC Published

References

Open in Interactive Console →