-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #890 from flor1der/main
Adding DIVD-2024-00051
- Loading branch information
Showing
1 changed file
with
51 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| --- | ||
| layout: case | ||
| title: "Improper authorization vulnerabilty in ProjectSend," | ||
| author: Florian Krijt | ||
| lead: Koen Schagen | ||
| excerpt: "Improper authorization vulnerabilty, CVE-2024-11680, in open-source file-sharing application: ProjectSend," | ||
| researchers: | ||
| - Florian Krijt | ||
| - Koen Schagen | ||
| cves: | ||
| - CVE-2024-11680 | ||
| product: | ||
| - ProjectSend | ||
| versions: | ||
| - ealier then r1720 | ||
| recommendation: "Upgrade to r1720 or later" | ||
| workaround: "none" | ||
| patch_status: Patch available | ||
| status : Open | ||
| start: 2024-12-09 | ||
| timeline: | ||
| - start: 2024-12-09 | ||
| end: | ||
| event: "DIVD starts researching the vulnerability." | ||
| - start: 2024-12-09 | ||
| end: | ||
| event: "DIVD finds fingerprint, preparing to scan." | ||
| - start: 2024-12-09 | ||
| end: | ||
| event: "Case opened and starting first scan." | ||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| A critical vulnerability in ProjectSend, a widely-used open-source file-sharing platform, has been actively exploited. The vulnerability, found in versions prior to r1720, enables unauthenticated attackers to modify application configurations via improperly authorised requests. This allows exploitation scenarios such as enabling unauthorised user registration, uploading PHP webshells, or embedding malicious JavaScript, leading to server compromise. | ||
|
|
||
| ## Recommendations | ||
|
|
||
| To remediate {% cve CVE-2024-11680 %}, upgrade ProjectSend to version r1720 or later to resolve the improper authorisation vulnerability. Limit public access by applying strict network controls and review server logs for unusual activity, especially targeting `options.php` or unauthorised uploads in `upload/files/`. For any compromised systems, remove malicious files, restore original configurations, and investigate further for signs of exploitation. Establish a patch management process to ensure timely updates and minimise exposure to future vulnerabilities | ||
|
|
||
| ## What we are doing | ||
|
|
||
| DIVD is currently working to identify parties that are running a vulnerable version of ProjectSend and to notify these parties. | ||
|
|
||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
|
|
||
| * {% cve CVE-2024-11680 %} | ||
| * [VulnCheck Blog: CVE-2024-10914 Exploited in the Wild](https://vulncheck.com/blog/projectsend-exploited-itw) | ||
| * [Cencys advisory CVE-2024-10914](https://censys.com/cve-2024-11680/) |