VDB

CVE-2024-11680

CVE-2024-11680 PUBLISHED KEV CVSS 9.800000190734863 CRITICAL

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

EPSS 93.49% · 99.8th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.49%
99.8th percentile

Affected Products

VendorProductVersions
ProjectSendProjectSend0, 0
projectsendprojectsend0, 0, 0
projectsendprojectsend0, 0

Timeline

  • Jan 20, 1970 Metasploit Module
  • Jan 21, 1970 Nuclei Template
  • Jan 21, 1970 Fix Commit
  • Jan 21, 1970 Metasploit Module
  • Jun 17, 2024 CrowdSec Sighting
  • Nov 21, 2024 PoC Published
  • Nov 26, 2024 CVE Published
  • Nov 26, 2024 PoC Published
  • Nov 27, 2024 EPSS Score
  • Nov 27, 2024 PoC Published
  • Nov 27, 2024 PoC Published
  • Nov 27, 2024 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›