CVE-2024-11680 Overview
CVE-2024-11680 is an improper authentication vulnerability affecting ProjectSend, a popular open-source file sharing web application. The vulnerability exists in versions prior to r1720, where remote unauthenticated attackers can exploit the flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create arbitrary accounts, upload webshells, and embed malicious JavaScript, leading to complete system compromise.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Remote unauthenticated attackers can achieve full system compromise through webshell uploads and arbitrary code execution.
Affected Products
- ProjectSend versions prior to r1720
- All installations with options.php accessible via HTTP
Discovery Timeline
- 2024-11-26 - CVE-2024-11680 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2024-11680
Vulnerability Analysis
This vulnerability stems from missing authentication checks in the options.php configuration endpoint. ProjectSend's configuration interface fails to properly validate that incoming requests originate from authenticated administrator sessions. As a result, unauthenticated attackers can send specially crafted POST requests to modify critical application settings remotely.
The impact of this vulnerability is severe because attackers can chain multiple malicious actions: first enabling user self-registration, then creating attacker-controlled accounts, and finally uploading webshells or other malicious files. Additionally, attackers can inject malicious JavaScript into the application configuration, potentially affecting all users who access the compromised instance.
The vulnerability has been assigned CWE-306 (Missing Authentication for Critical Function), reflecting the fundamental security flaw of exposing sensitive administrative functionality without proper access controls.
Root Cause
The root cause lies in the options.php script's failure to implement proper authentication verification before processing configuration change requests. The application does not validate session tokens or check user privileges before accepting and applying configuration modifications. This architectural flaw allows any remote attacker to directly manipulate application settings without providing any credentials.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. Attackers can exploit this vulnerability by sending malicious HTTP POST requests directly to the options.php endpoint. The attack sequence typically involves:
- Sending crafted requests to enable user registration functionality
- Creating new administrator or user accounts through the newly enabled registration
- Uploading webshells through the file upload functionality
- Executing arbitrary commands on the underlying server
Public exploit modules are available in the Metasploit Framework, and proof-of-concept code has been published, significantly lowering the barrier for exploitation.
The exploitation mechanism targets the unauthenticated configuration endpoint. Attackers send POST requests containing malicious configuration parameters to options.php, which the application processes without verifying the requester's identity. For detailed technical analysis, refer to the Synacktiv Vulnerabilities Report and the VulnCheck Advisory.
Detection Methods for CVE-2024-11680
Indicators of Compromise
- Unexpected POST requests to options.php from external IP addresses
- New user accounts created without administrator knowledge, especially accounts with elevated privileges
- Presence of unexpected PHP files in upload directories or webshell signatures
- Configuration changes to the application that were not authorized by administrators
- Suspicious JavaScript code embedded in application settings or pages
Detection Strategies
- Deploy web application firewall (WAF) rules to monitor and block suspicious requests to options.php
- Implement file integrity monitoring on ProjectSend installation directories to detect unauthorized file uploads
- Review web server access logs for unusual POST requests to configuration endpoints from unauthenticated sessions
- Utilize the Nuclei detection template for automated vulnerability scanning
Monitoring Recommendations
- Enable detailed logging for all requests to administrative endpoints including options.php
- Monitor for new user account creation events, particularly administrator accounts
- Set up alerts for file system changes within the ProjectSend upload and web directories
- Implement network monitoring to detect outbound connections from the web server that may indicate webshell activity
How to Mitigate CVE-2024-11680
Immediate Actions Required
- Upgrade ProjectSend to version r1720 or later immediately
- If immediate upgrade is not possible, restrict network access to options.php through firewall rules or web server configuration
- Audit existing user accounts for any unauthorized additions and remove suspicious accounts
- Scan upload directories for webshells or other malicious files
- Review application configuration settings for unauthorized changes or malicious JavaScript
Patch Information
The vulnerability has been addressed in ProjectSend version r1720. The security fix is available in the official commit 193367d. Organizations should update to this version or later to remediate the vulnerability. Given the active exploitation and CISA KEV listing, patching should be treated as an urgent priority.
Workarounds
- Block access to options.php at the web server level using .htaccess rules or nginx location blocks
- Place the ProjectSend installation behind a VPN or require authentication at the network level
- Implement IP whitelisting to restrict access to the application to trusted networks only
- Disable the application entirely until patching is feasible if the system contains sensitive data
# Apache .htaccess workaround to block access to options.php
<Files "options.php">
Require all denied
</Files>
# Nginx configuration to block options.php
location = /options.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
