CVE-2024-11680 PoC Exploit in ProjectSend r1605 and Older Versions - #CVE-2024-11680
A critical vulnerability (CVE-2024-11680) in ProjectSend, an open-source file-sharing application, has been actively exploited since its discovery in early 2024. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to bypass authentication, modify configurations, and execute arbitrary code. Despite a patch being available since May 2023, only 1% of ProjectSend instances have been updated, leaving 99% vulnerable. Attackers have been observed changing landing page titles, enabling user registration, and uploading webshells. The exploitation has been facilitated by public tools and exploit code. A Proof of Concept exploit demonstrating the vulnerability's impact through CSRF and privilege misconfiguration has been released for ethical testing purposes. Users are strongly advised to upgrade to version r1720 or later immediately to mitigate the risk.