Detections
Analytics

ProjectSend < r1720 Authentication Bypass (CVE-2024-11680)

critical Nessus Plugin ID 271956

Language:

Synopsis

A web application running on the remote server is affected by an authentication bypass vulnerability.

Description

The instance of ProjectSend running on the remote web server is affected by an authentication bypass vulnerability:

 - ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. (CVE-2024-11680)

Solution

Upgrade to ProjectSend r1720 or later.

See Also

http://www.nessus.org/u?e0ec645a

http://www.nessus.org/u?936495c3

Plugin Details

Severity: Critical

ID: 271956

File Name: projectsend_CVE-2024-11680.nbin

Version: 1.2

Type: remote

Family: Misc.

Published: 10/29/2025

Updated: 10/30/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-11680

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:projectsend:projectsend

Required KB Items: installed_sw/ProjectSend

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 8/2/2024

Vulnerability Publication Date: 7/19/2024

CISA Known Exploited Vulnerability Due Dates: 12/24/2024

Exploitable With

Metasploit (ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution)

Reference Information

CVE: CVE-2024-11680