CVE-2024-11680 PoC — ProjectSend 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-11680.yaml

Associated Vulnerability

Title:ProjectSend 安全漏洞 (CVE-2024-11680)
Description:ProjectSend（cFTP）是ProjectSend开源的一套基于PHP和MySQL的自托管应用程序。 ProjectSend r1720之前版本存在安全漏洞，该漏洞源于受到身份验证漏洞的影响，远程未经身份验证的攻击者可以通过发送精心设计的HTTP请求实现对应用程序配置的未经授权修改。

Description

An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.

File Snapshot


 id: CVE-2024-11680

info:
  name: ProjectSend <= r1605 - Improper Authorization
  author: DhiyaneshD

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!