CVE Catalog

Actively exploited in the wild

ProjectSend Improper Authentication Vulnerability

ProjectSend - ProjectSend · Listed in the CISA KEV since 2024-12-03. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2024-11680

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
91.56%

100th percentile - higher than 100% of all known CVEs

Summary

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Risk Assessment

The risk for the organization includes complete takeover of the ProjectSend application, potentially leading to data theft, further attacks on infrastructure, and system integrity compromise.

Recommendation

Immediately update ProjectSend to version r1720 or later. If updating is not possible, restrict access to options.php to trusted IP addresses only.

Original NVD description (English source)

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS