Back to KEVs

CVE-2024-11680

ProjectSend Unauthenticated Configuration Modification

Basic Information

CVE State
PUBLISHED
Reserved Date
November 25, 2024
Published Date
November 26, 2024
Last Updated
December 06, 2024
Vendor
ProjectSend
Product
ProjectSend
Description
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Tags
php cisa nuclei_scanner metasploit_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2024-12-03 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2024-12-04 18:42:43 UTC) Source

References

https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744 https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml https://vulncheck.com/advisories/projectsend-bypass

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-12-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb 2025-04-29 11:01:14 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-11680.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

projectsend_unauth_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2024-11680

D3N14LD15K/CVE-2024-11680_PoC_Exploit

Type: github • Created: 2024-12-04 18:42:43 UTC • Stars: 13

This repository contains a Proof of Concept (PoC) exploit for CVE-2024-11680, a critical vulnerability in ProjectSend r1605 and older versions. The exploit targets an improper authentication flaw due Privilege Misconfiguration issues.

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit