CVE-2024-11680 CRITICAL

CVE-2024-11680: ProjectSend Unauthenticated Configuration Modification

Vendor Projectsend
Product ProjectSend
Weakness CWE-306 · Missing auth
KEV Status Known Exploited
Published November 26, 2024
Last update November 22, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

November 26, 2024 CVE published
November 22, 2025 Record updated