Home > Vulnerability Database > CVE-2024-11680

Mend.io Vulnerability Database

CVE-2024-11680

Date: November 26, 2024

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Language: PHP

Severity Score

9.8

Related Resources (7)

Url: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-11680

Url: https://vulncheck.com/advisories/projectsend-bypass

Url: https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf

Url: https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744

Url: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb

Url: https://www.mend.io/vulnerability-database/CVE-2024-11680

Severity Score

9.8

Weakness Type (CWE)

Improper Authentication

CWE-287

Missing Authentication for Critical Function

CWE-306

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-11680

Date: November 26, 2024

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?