Back to KEVs

CVE-2024-11680

ProjectSend Unauthenticated Configuration Modification

Basic Information

CVE State: PUBLISHED
Reserved Date: November 25, 2024
Published Date: November 26, 2024
Last Updated: December 06, 2024
Vendor: ProjectSend
Product: ProjectSend
Description: ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2024-12-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2024-12-04 18:42:43 UTC) Source

References

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744 https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml https://vulncheck.com/advisories/projectsend-bypass

Known Exploited Vulnerability Information

Source	Added Date
CISA	2024-12-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb	2025-04-29 11:01:14 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-11680.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

projectsend_unauth_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2024-11680

D3N14LD15K/CVE-2024-11680_PoC_Exploit

Type: github • Created: 2024-12-04 18:42:43 UTC • Stars: 13

This repository contains a Proof of Concept (PoC) exploit for CVE-2024-11680, a critical vulnerability in ProjectSend r1605 and older versions. The exploit targets an improper authentication flaw due Privilege Misconfiguration issues.