Back to CVE overview
CVE-2024-11680
CRITICAL(9.8)KEV — Actively ExploitedCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Signal Score82/100 — KRITISCH
- CVSS 9.8 — Kritisch
- EPSS 92% — sehr wahrscheinlich ausgenutzt
- Im CISA KEV-Katalog (aktiv ausgenutzt)
CISA KEV
Confirmed exploited
EPSS-Score
92%
Exploit Probability (30 days)
CVSS Score
9.8
Technical Severity
Description
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
References
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilit...
- https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd5...
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linu...
- https://vulncheck.com/advisories/projectsend-bypass
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-mult...
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...