Improper Authentication Vulnerability in ProjectSend Affects Multiple Versions

CVE-2024-11680

9.8CRITICAL

Key Information

Vendor
Projectsend
Status
Projectsend
Vendor
CVE Published:
26 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 46%πŸ¦… CISA ReportedπŸ“° News Worthy

Summary

Vulnerability: CVE-2024-11680 Software: ProjectSend Potential Impact: Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Exploitation in the Wild: Yes, threat actors are actively using public exploits for this critical authentication bypass flaw in ProjectSend to upload webshells and gain remote access to servers. The flaw has been actively exploited since September 2024, with evidence of public-facing ProjectSend servers being targeted and changes to landing page titles. Upgrading to ProjectSend version r1750 is critical to prevent attacks.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-11680 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

ProjectSend < 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11680 - Proof of Concept

CVE-2024-11680 - Proof of Concept

CVE-2024-11680 - Proof of Concept

News Articles

favicon imageThe Cyber Express

CISA Adds Critical Flaws To Known Exploited Vulnerabilities

CISA updates its Known Exploited Vulnerabilities (KEV) Catalog with three critical flaws targeting Proself, ProjectSend, and Zyxel.

3 weeks ago

favicon imageInfosecurity Magazine

Malicious Actors Exploit ProjectSend Critical Vulnerability

This vulnerability was patched in May 2024 but was only allocated a CVE in November after evidence of exploitation

1 month ago

favicon imageSecurity Affairs

ProjectSend critical flaw actively exploited in the wild, experts warn

Researchers warn that a critical security flaw in ProjectSend open-source file-sharing application may be under active exploitation.

1 month ago

References

https://github.com/projectsend/projectsend/commit/193367d...
patch
https://www.synacktiv.com/sites/default/files/2024-07/syn...
third-party-advisoryexploit
https://github.com/rapid7/metasploit-framework/blob/maste...
exploit

EPSS Score

46% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ¦…

    CISA Reported

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseCISA Database4 Proof of Concept(s)7 News Article(s)
.