CVE-2024-11680 - ProjectSend Improper Authentication Vulnerability
Project:ProjectSend
Product:ProjectSend
Date Added:2024-12-03Due Date:2024-12-24
Vulnerability Name
ProjectSend Improper Authentication Vulnerability
Description
ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
https://nvd.nist.gov/vuln/detail/CVE-2024-11680
Related News Articles
CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanelDecember 5, 2024