CVE-2024-11680
Published: 26 November 2024
Summary
CVE-2024-11680 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Projectsend Projectsend. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
ProjectSend versions prior to r1720 contain an improper authentication vulnerability tracked as CVE-2024-11680. The flaw resides in the options.php endpoint and stems from missing authentication checks, allowing remote attackers to alter application configuration settings without any credentials. The issue carries a CVSS 3.1 score of 9.8 and is classified under CWE-306.
Unauthenticated attackers can exploit the weakness by submitting specially crafted HTTP requests to options.php. Successful exploitation grants the ability to create new administrative accounts, upload webshells, and inject arbitrary JavaScript into the application, resulting in full compromise of the affected instance.
Public references, including the official ProjectSend commit and the Synacktiv advisory, indicate that the vulnerability is resolved in release r1720; administrators should upgrade immediately. Detection templates for Nuclei and an exploit module in Metasploit Framework are also available, while the EPSS score remains elevated above 0.93.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34152
Vulnerability details
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts,…
more
upload webshells, and embed malicious JavaScript.
- CWE(s)
- KEV Date Added
- 03 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before permitting any modification to options.php configuration settings.
Restricts the ability to change application configuration or install code (webshells) to only authorized and authenticated identities.
Requires prompt application of the vendor patch (r1720) that adds the missing authentication enforcement on the vulnerable endpoint.