Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding DIVD-2024-00051 #890

Merged
merged 4 commits into from
Dec 11, 2024
Merged

Adding DIVD-2024-00051 #890

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2bc916a
Create DIVD-2024-00051.md
flor1der Dec 9, 2024
2597ddc
Update DIVD-2024-00051.md
flor1der Dec 9, 2024
45f5acf
Merge branch 'DIVD-NL:main' into main
flor1der Dec 11, 2024
d3f599d
Update DIVD-2024-00051.md
flor1der Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions _cases/2024/DIVD-2024-00051.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
layout: case
title: "Improper authorization vulnerabilty in ProjectSend,"
author: Florian Krijt
lead: Koen Schagen
excerpt: "Improper authorization vulnerabilty, CVE-2024-11680, in open-source file-sharing application: ProjectSend,"
researchers:
- Florian Krijt
- Koen Schagen
cves:
- CVE-2024-11680
product:
- ProjectSend
versions:
- ealier then r1720
recommendation: "Upgrade to r1720 or later"
workaround: "none"
patch_status: Patch available
status : Open
start: 2024-12-09
timeline:
- start: 2024-12-09
end:
event: "DIVD starts researching the vulnerability."
- start: 2024-12-09
end:
event: "DIVD finds fingerprint, preparing to scan."
- start: 2024-12-09
end:
event: "Case opened and starting first scan."
---

## Summary

A critical vulnerability in ProjectSend, a widely-used open-source file-sharing platform, has been actively exploited. The vulnerability, found in versions prior to r1720, enables unauthenticated attackers to modify application configurations via improperly authorised requests. This allows exploitation scenarios such as enabling unauthorised user registration, uploading PHP webshells, or embedding malicious JavaScript, leading to server compromise.

## Recommendations

To remediate {% cve CVE-2024-11680 %}, upgrade ProjectSend to version r1720 or later to resolve the improper authorisation vulnerability. Limit public access by applying strict network controls and review server logs for unusual activity, especially targeting `options.php` or unauthorised uploads in `upload/files/`. For any compromised systems, remove malicious files, restore original configurations, and investigate further for signs of exploitation. Establish a patch management process to ensure timely updates and minimise exposure to future vulnerabilities

## What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of ProjectSend and to notify these parties.

{% include timeline.html %}

## More information

* {% cve CVE-2024-11680 %}
* [VulnCheck Blog: CVE-2024-10914 Exploited in the Wild](https://vulncheck.com/blog/projectsend-exploited-itw)
* [Cencys advisory CVE-2024-10914](https://censys.com/cve-2024-11680/)
Loading