CVE-2024-11680 — AI Deep Analysis Summary

🚨 **Essence**: ProjectSend r1720- has an **Improper Authentication** flaw. Attackers bypass login to modify configs. 💥 **Consequences**: Full system compromise, arbitrary PHP code execution, and total data loss.

🛡️ **Root Cause**: **CWE-306** (Improper Authentication) & **CWE-287**. The app fails to verify identity for sensitive actions like `options.php`. 📉 **Flaw**: Missing access control checks allow unauthenticated writes.

📦 **Affected**: **ProjectSend** versions **prior to r1720** (e.g., r1605 and older). 🌐 **Component**: The core PHP application logic handling configuration and user management.

👑 **Privileges**: Attackers gain **Admin-level** access without credentials. 📂 **Data**: Can create accounts, enable file uploads, modify whitelists, and execute **Arbitrary PHP Code** on the server.

📉 **Threshold**: **LOW**. No authentication required (PR:N). Low complexity (AC:L). No user interaction needed (UI:N). 🎯 **Config**: Exploits via crafted HTTP requests to `options.php`.

🔓 **Exploit**: **Yes, Public**. PoCs exist on GitHub (e.g., `famixcm`, `D3N14LD15K`). Metasploit module available. 🌍 **Wild Exploitation**: High risk due to ease of use and critical impact.

🔍 **Self-Check**: Scan for ProjectSend instances. Check version number (< r1720). Use Nuclei templates (`CVE-2024-11680.yaml`). 🧪 **Test**: Attempt unauthenticated POST to `options.php` (Do not exploit in prod!).

✅ **Fixed**: **Yes**. Patch available in **ProjectSend r1720**. 📝 **Commit**: `193367d937b1a59ed5b68dd4e60bd53317473744`. Upgrade immediately to the latest version.

🚧 **Workaround**: If patching is delayed, **restrict access** to `options.php` via WAF or firewall rules. Disable file upload features if possible. Monitor logs for unauthorized config changes.

🔥 **Urgency**: **CRITICAL (9.8 CVSS)**. Immediate action required. Remote Code Execution (RCE) is possible. 🏃 **Priority**: Patch to r1720+ **NOW** to prevent server takeover.