CVE-2024-11680

Source
https://cve.org/CVERecord?id=CVE-2024-11680
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11680.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-11680
Published
2024-11-26T09:55:23.588Z
Modified
2026-07-08T06:41:34.428561948Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ProjectSend Unauthenticated Configuration Modification
Details

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/11xxx/CVE-2024-11680.json",
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/projectsend/projectsend

Affected ranges

Type
GIT
Repo
https://github.com/projectsend/projectsend
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "r1720"
        }
    ]
}

Affected versions

Other
Stable
r1053
r1070
r1335
r1415
r1420
r1584
r1605
r559
r753
r754
r756

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11680.json"