Zurück zur CVE-Übersicht
CVE-2024-11680
CRITICAL(9.8)KEV — Aktiv ausgenutztCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Signal Score82/100 — KRITISCH
- CVSS 9.8 — Kritisch
- EPSS 92% — sehr wahrscheinlich ausgenutzt
- Im CISA KEV-Katalog (aktiv ausgenutzt)
CISA KEV
Bestätigt ausgenutzt
EPSS-Score
92%
Exploit-Wahrscheinlichkeit (30 Tage)
CVSS Score
9.8
Technische Schwere
Beschreibung
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Referenzen
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilit...
- https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd5...
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linu...
- https://vulncheck.com/advisories/projectsend-bypass
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-mult...
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...