ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
The attacker sends a crafted HTTP request to the options.php file without needing to possess any credentials. The lack of proper identity verification on the server side enables unauthorized modification of application configuration. As a result, it is possible to create new user accounts, upload webshells to the server, and inject malicious JavaScript code into the application interface.
An attacker can gain full control of the server by executing arbitrary code (RCE) through an uploaded webshell, and can also compromise data integrity and conduct attacks against application users using malicious JavaScript.
ProjectSend must be immediately updated to version r1720 or newer. A patch is available in the official project repository (commit 193367d937b1a59ed5b68dd4e60bd53317473744). Until updating, it is recommended to restrict access to the options.php file at the web server level or via firewall.
ProjectSend in all versions earlier than r1720
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HProjectsend
APPProjectsend< r1720
CISA KEV — detailsi
- Vendori
- ProjectSend
- Producti
- ProjectSend
- Added to KEVi
- December 3, 2024
- Remediation deadline (US Federal)i
- December 24, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
Related vulnerabilities
Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization ...
ProjectSend (formerly cFTP) r582 allows directory traversal via file=../ in the process-zip-download.php query...
ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, ...
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, ed...
ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Reference via includes/actions.log.export.php.