External risk intelligence

ProjectSend Improper Authentication Allows Configuration Changes

CVE advisoryKnown Exploit

CVE-2024-11680

An improper authentication vulnerability in ProjectSend allows unauthenticated attackers to modify application configurations. This could lead to unauthorized account creation, malicious file uploads, and JavaScript injection, impacting system integrity and data security.

4Halo Surface Signal

Missing Authentication

Projectsend

before r1720

External exposure likelihood

Halo Surface Signal score for CVE-2024-11680

ProjectSend is a file-sharing and client-portal application specifically designed to be deployed as a web-facing service to facilitate external user access and document exchange, making it commonly accessible via the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

ProjectSend versions prior to r1720 have an improper authentication flaw. This weakness allows unauthenticated attackers to alter application configurations. Such actions could lead to the creation of unauthorized accounts, the uploading of malicious files, or the embedding of harmful JavaScript within the system.

Vulnerable component: ProjectSend application.
Core weakness: Improper authentication.
Main business impact: Unauthorized account creation and data compromise.

Attack Path

How an attacker could exploit the issue

An improper authentication vulnerability in ProjectSend versions prior to r1720 allows unauthenticated attackers to modify application configurations. Attackers can send specially crafted HTTP requests to options.php to gain unauthorized access. This can lead to the creation of new accounts, the upload of malicious webshells, and the injection of harmful JavaScript into the application.

Exposed on the network.
Attacker sends crafted HTTP requests.
Attacker gains control of configuration.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in ProjectSend presents a significant risk due to its ease of exploitation and severe potential impact. Remote attackers without authentication can manipulate application settings, leading to the creation of unauthorized accounts, the upload of malicious files, and the injection of harmful scripts. The CISA Known Exploited Vulnerabilities catalog includes this CVE, indicating active exploitation and a heightened urgency for remediation.

Likely attacker skill level: Basic
Required access or conditions: Network accessible
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An improper authentication vulnerability has been identified in ProjectSend, potentially allowing unauthenticated attackers to alter application configurations. Successful exploitation could lead to unauthorized account creation, the upload of malicious webshells, and the embedding of harmful JavaScript. This presents a significant risk to the integrity and security of organizational data and systems.

Identify ProjectSend instances.
Restrict network access.
Apply vendor updates and verify.
Monitor for suspicious activity.

Frequently asked questions

What is ProjectSend and what are its key functions?

ProjectSend is a web-based application designed for secure file sharing and client portal management. It enables businesses to exchange documents and foster collaboration with clients through a dedicated online platform.

What type of security weakness is identified by CVE-2024-11680 in ProjectSend?

CVE-2024-11680 is classified as an improper authentication vulnerability (CWE-306). This indicates that the software fails to adequately verify user identities, potentially allowing unauthorized actions by bypassing necessary authentication checks.

How can attackers exploit the ProjectSend vulnerability to their advantage?

Attackers can exploit this flaw by sending specially crafted HTTP requests to the options.php file. This allows them to bypass authentication and gain unauthorized control, enabling actions such as creating new user accounts, uploading malicious files (webshells), and embedding harmful JavaScript within the application.

What is the significance of ProjectSend's inclusion in the CISA Known Exploited Vulnerabilities catalog?

The inclusion of this CVE in the CISA Known Exploited Vulnerabilities catalog signifies that the vulnerability is actively being exploited in the wild. This indicates a high level of risk and necessitates immediate attention for remediation by organizations using affected ProjectSend versions.

What steps should be taken to address the ProjectSend vulnerability?

Organizations should identify all instances of ProjectSend, restrict network access where possible, and promptly apply vendor-provided updates to version r1720 or later. Continuous monitoring for any suspicious activity within the application is also recommended to detect potential compromises.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.