ProjectSend Vulnerability CVE-2024-11680 Allows Code Execution
2024-11-28
Learn about the importance of timely patch management and how exploiting unpatched vulnerabilities can lead to major security risks.
A critical security vulnerability in the ProjectSend file-sharing application, originally reported in January 2023 and patched in August 2024, is being actively exploited. The flaw allows attackers to execute arbitrary PHP code on affected servers by bypassing authorization checks. Despite the availability of a patched version, only 1% of the 4,000 internet-exposed ProjectSend servers have been updated, leaving the majority susceptible to attacks that include web shell installations and potential malicious JavaScript embedding. Users are urged to update to the latest version to protect against these threats.
Patch Management, Web App/Website Vulnerability, Open Source
ProjectSend, CVE-2024-11680, Code Execution, Open Source Vulnerability, Web Shell
ProjectSend
A significant security flaw has been identified in ProjectSend, an open-source file-sharing application. This vulnerability, now actively exploited, was initially patched in May 2023 but only became publicly available in August 2024 with the release of version r1720. The flaw is cataloged as CVE-2024-11680 and has a high severity score of 9.8 on the CVSS scale. The vulnerability arises from improper authorization checks within ProjectSend, specifically in version r1605. This flaw allows attackers to execute arbitrary PHP code on servers that host the application. It provides unauthorized individuals the ability to perform sensitive operations such as enabling user registration, auto-validation, and modifying the whitelist for file extensions. According to VulnCheck, threat actors have been targeting publicly accessible ProjectSend servers using exploit code made available by Project Discovery and Rapid7. These attacks began around September 2024 and are not limited to scanning for vulnerable servers. Attackers have been leveraging the flaw to install web shells, which can be located predictably in the upload/files/ directory off the webroot. Additionally, the vulnerability allows for the embedding of malicious JavaScript, presenting an alternative attack vector. An analysis of approximately 4,000 internet-facing ProjectSend servers indicates that only 1% have been updated to the patched version r1750. The majority are still running older, vulnerable versions, leaving them exposed to potential exploitation. Given the active exploitation and widespread vulnerability, it is crucial for users to update their ProjectSend installations to the latest version immediately to mitigate these security threats.Critical Security Vulnerability in ProjectSend
Nature of the Vulnerability
Exploitation in the Wild
Current Impact
Recommended Actions
https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html?m=1