CVE-2024-11680

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-11680
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11680.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-11680
Published
2024-11-26T10:15:04Z
Modified
2025-01-15T05:04:46.384558Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

References

Affected packages

Git / github.com/projectsend/projectsend

Affected ranges

Type
GIT
Repo
https://github.com/projectsend/projectsend
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

Stable
r1053
r1070
r1270
r1295
r1335
r1415
r1420
r1584
r1605
r559
r753
r754
r756