DIVD-2024-00051 - Improper authorization vulnerabilty in ProjectSend,
| Our reference | DIVD-2024-00051 |
| Case lead | Koen Schagen |
| Author | Florian Krijt |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade to r1720 or later |
| Patch status | Patch available |
| Workaround | none |
| Status | Open |
| Last modified | 11 Dec 2024 21:46 CET |
Summary
A critical vulnerability in ProjectSend, a widely-used open-source file-sharing platform, has been actively exploited. The vulnerability, found in versions prior to r1720, enables unauthenticated attackers to modify application configurations via improperly authorised requests. This allows exploitation scenarios such as enabling unauthorised user registration, uploading PHP webshells, or embedding malicious JavaScript, leading to server compromise.
Recommendations
To remediate CVE-2024-11680, upgrade ProjectSend to version r1720 or later to resolve the improper authorisation vulnerability. Limit public access by applying strict network controls and review server logs for unusual activity, especially targeting options.php or unauthorised uploads in upload/files/. For any compromised systems, remove malicious files, restore original configurations, and investigate further for signs of exploitation. Establish a patch management process to ensure timely updates and minimise exposure to future vulnerabilities
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of ProjectSend and to notify these parties.
Timeline
| Date | Description |
|---|---|
| 09 Dec 2024 | DIVD starts researching the vulnerability. |
| 09 Dec 2024 | DIVD finds fingerprint, preparing to scan. |
| 09 Dec 2024 | Case opened and starting first scan. |