ProjectSend Panic: Critical Flaw Gives Hackers the Keys to the Kingdom!

Experts warn that a critical ProjectSend vulnerability (CVE-2024-11680) with a CVSS score of 9.8 is being actively exploited. Attackers can exploit this flaw to modify configurations, create accounts, and upload webshells. Despite a patch being available, low adoption rates mean the threat remains high.

3P
Published: November 28, 2024 8:02 amAdded: November 28, 2024 at 12:21 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Well, looks like ProjectSend users are caught in a ‘send’-whirl of trouble! With a critical flaw being exploited faster than you can say “unauthorized access,” it seems attackers have been having a field day with this open-source app. If you’re using ProjectSend, it’s time to patch up or risk sending all your secrets to the wild, wild web!

Key Points:

  • Critical vulnerability (CVE-2024-11680) in ProjectSend is actively exploited.
  • Flaw allows unauthenticated attackers to modify the app’s configuration and create accounts.
  • ProjectSend version before r1720 is affected; patch available since May 2023.
  • Exploitation includes uploading webshells and embedding malicious JavaScript.
  • Poor patch adoption with only 1% using the fixed version (r1750).

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?