Unrated severityCISA KEVNVD Advisory· Published Nov 26, 2024· Updated Nov 22, 2025

ProjectSend Unauthenticated Configuration Modification

CVE-2024-11680

Description

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Affected products

Projectsend/Projectsendv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744mitrepatch
github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yamlmitreexploit
github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rbmitreexploit
vulncheck.com/advisories/projectsend-bypassmitrethird-party-advisory
www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdfmitrethird-party-advisoryexploit

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000