Actively exploited in the wild
ProjectSend Improper Authentication Vulnerability
ProjectSend - ProjectSend · Listed in the CISA KEV since 2024-12-03. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2024-11680
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile - higher than 100% of all known CVEs
Summary
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Risk Assessment
The risk for the organization includes complete takeover of the ProjectSend application, potentially leading to data theft, further attacks on infrastructure, and system integrity compromise.
Recommendation
Immediately update ProjectSend to version r1720 or later. If updating is not possible, restrict access to options.php to trusted IP addresses only.
Original NVD description (English source)
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

