Create DIVD-2024-00051.md

_cases/2024/DIVD-2024-00051.md

@@ -0,0 +1,45 @@
+---
+layout: case
+title: "Improper authorization vulnerabilty in ProjectSend"
+author: Florian Krijt
+lead: Koen Schagen
+excerpt: "Improper authorization vulnerabilty, cve-2024-11680, in open-source file-sharing application: ProjectSend,"
+researchers:
+- Florian Krijt
+- Koen Schagen
+cves:
+- CVE-2024-11680
+product:
+- ProjectSend
+versions: 
+- ealier then r1720
+recommendation: "Upgrade to R1720 or later"
+workaround: "none"
+patch_status: Patch available
+status : Open
+start: 2024-12-09
+timeline:
+- start: 2024-12-09
+  end:
+  event: "DIVD starts researching the vulnerability."
+- start: 2024-12-09
+  end:
+  event: "DIVD finds fingerprint, preparing to scan."
+- start: 2024-12-09
+  end:
+  event: "Case opened and starting first scan."
+---
+
+## Summary
+
+A critical vulnerability in ProjectSend, a widely-used open-source file-sharing platform, has been actively exploited. The vulnerability, found in versions prior to r1720, enables unauthenticated attackers to modify application configurations via improperly authorised requests. This allows exploitation scenarios such as enabling unauthorised user registration, uploading PHP webshells, or embedding malicious JavaScript, leading to server compromise.
+
+## Recommendations
+
+To remediate {% cve CVE-2024-11680 %}, upgrade to version r1720 or later.
+
+## What we are doing
+
+DIVD is currently working to identify parties that are running a vulnerable version of ProjectSend and to notify these parties. 
+
+{% include timeline.html %}