Cyber Resilience

CVE-2024-11680

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 November 2024

Published
26 November 2024
Modified
31 October 2025
KEV Added
03 December 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9349 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11680 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Projectsend Projectsend. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

ProjectSend versions prior to r1720 contain an improper authentication vulnerability tracked as CVE-2024-11680. The flaw resides in the options.php endpoint and stems from missing authentication checks, allowing remote attackers to alter application configuration settings without any credentials. The issue carries a CVSS 3.1 score of 9.8 and is classified under CWE-306.

Unauthenticated attackers can exploit the weakness by submitting specially crafted HTTP requests to options.php. Successful exploitation grants the ability to create new administrative accounts, upload webshells, and inject arbitrary JavaScript into the application, resulting in full compromise of the affected instance.

Public references, including the official ProjectSend commit and the Synacktiv advisory, indicate that the vulnerability is resolved in release r1720; administrators should upgrade immediately. Detection templates for Nuclei and an exploit module in Metasploit Framework are also available, while the EPSS score remains elevated above 0.93.

EU & UK References

Vulnerability details

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts,…

more

upload webshells, and embed malicious JavaScript.

CWE(s)
KEV Date Added
03 December 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

projectsend
projectsend
≤ r1720

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before permitting any modification to options.php configuration settings.

prevent

Restricts the ability to change application configuration or install code (webshells) to only authorized and authenticated identities.

prevent

Requires prompt application of the vendor patch (r1720) that adds the missing authentication enforcement on the vulnerable endpoint.

References