CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2024-11680

CVSS 9.8v3.1pub. 2024-11-26upd. 2025-10-31

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

🤖 AI Analysis
How it works

The attacker sends a crafted HTTP request to the options.php file without needing to possess any credentials. The lack of proper identity verification on the server side enables unauthorized modification of application configuration. As a result, it is possible to create new user accounts, upload webshells to the server, and inject malicious JavaScript code into the application interface.

Impact

An attacker can gain full control of the server by executing arbitrary code (RCE) through an uploaded webshell, and can also compromise data integrity and conduct attacks against application users using malicious JavaScript.

Mitigation & patch

ProjectSend must be immediately updated to version r1720 or newer. A patch is available in the official project repository (commit 193367d937b1a59ed5b68dd4e60bd53317473744). Until updating, it is recommended to restrict access to the options.php file at the web server level or via firewall.

Who is affected

ProjectSend in all versions earlier than r1720

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Projectsend

    APP
    Projectsend
    < r1720

CISA KEV — detailsi

Vendori
ProjectSend
Producti
ProjectSend
Added to KEVi
December 3, 2024
Remediation deadline (US Federal)i
December 24, 2024(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 24 grudnia 2024
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2021-40887CRITICAL9.8ten sam produkt

Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization ...

CVE-2016-10733CRITICAL9.8ten sam produkt

ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query...

CVE-2016-10731CRITICAL9.8ten sam produkt

ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, ...

CVE-2016-10732CRITICAL9.8ten sam produkt

ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, ed...

CVE-2016-10734CRITICAL9.8ten sam produkt

ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.