Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-11680
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ProjectSend Unauthenticated Configuration Modification
Source: NVD (National Vulnerability Database)
Vulnerability Description
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
ProjectSend 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ProjectSend(cFTP)是ProjectSend开源的一套基于PHP和MySQL的自托管应用程序。 ProjectSend r1720之前版本存在安全漏洞,该漏洞源于受到身份验证漏洞的影响,远程未经身份验证的攻击者可以通过发送精心设计的HTTP请求实现对应用程序配置的未经授权修改。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
ProjectSendProjectSend 0 ~ r1720 -
II. Public POCs for CVE-2024-11680
#POC DescriptionSource LinkShenlong Link
1CVE-2024-11680: Improper Authentication (CWE-287)https://github.com/famixcm/CVE-2024-11680POC Details
2Nonehttps://github.com/exploitboom/CVE-2024-11680POC Details
3This repository contains a Proof of Concept (PoC) exploit for CVE-2024-11680, a critical vulnerability in ProjectSend r1605 and older versions. The exploit targets a Cross-Site Request Forgery (CSRF) flaw in combination with Privilege Misconfiguration issues.https://github.com/D3N14LD15K/CVE-2024-11680_PoC_ExploitPOC Details
4An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-11680.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2024-11680
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: ProjectSend
Same vendor: ProjectSend
Same weakness: CWE-306
V. Comments for CVE-2024-11680

No comments yet

Leave a comment