CVE-2024-11680
CRITICAL KEV NUCLEIProjectSend <r1720 - Auth Bypass
Title source: llmDescription
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Exploits (4)
github
WORKING POC
40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/ProjectSend(CVE-2024-11680).py
nomisec
WORKING POC
12 stars
by D3N14LD15K · remote
https://github.com/D3N14LD15K/CVE-2024-11680_PoC_Exploit
metasploit
WORKING POC
EXCELLENT
by Florent Sicchio, Hugo Clout, ostrichgolf · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
Nuclei Templates (1)
ProjectSend <= r1605 - Improper Authorization
CRITICALVERIFIEDby DhiyaneshDK
Shodan:
http.html:"projectsend" || http.html:"projectsend setup" || http.html:"provided by projectsend"
FOFA:
body="projectsend" || body="projectsend setup" || body=provided by projectsend
References (6)
Scores
CVSS v3
9.8
EPSS
0.9386
EPSS Percentile
99.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CISA KEV
2024-12-03
VulnCheck KEV
2024-11-26
InTheWild.io
2024-12-03
ENISA EUVD
EUVD-2024-34152
CWE
CWE-306
Status
published
Products (1)
projectsend/projectsend
< r1720
Published
Nov 26, 2024
KEV Added
Dec 03, 2024
Tracked Since
Feb 18, 2026