CVE-2024-11680

ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Vendor/Product: ProjectSend ProjectSend. Added to CISA KEV 2024-12-03; required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.