CVE-2024-11680
ProjectSend Unauthenticated Configuration Modification
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
| CWE | CWE-306 |
| Vendor | projectsend |
| Product | projectsend |
| Published | Nov 26, 2024 |
| Last Updated | Nov 22, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for projectsend projectsend
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-11680.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
ProjectSend / ProjectSend
0 < r1720
References
github.com: https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744 synacktiv.com: https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf github.com: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb github.com: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml vulncheck.com: https://vulncheck.com/advisories/projectsend-bypass cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680