A essential safety flaw impacting the ProjectSend open-source file-sharing software has most likely come below lively exploitation within the wild, in line with findings from VulnCheck.
The vulnerability, at first patched over a year-and-a-half in the past as a part of a devote driven in Might 2023 , used to be no longer formally made to be had till August 2024 with the discharge of model r1720. As of November 26, 2024, it’s been assigned the CVE identifier CVE-2024-11680 (CVSS rating: 9.8).
Synacktiv, which reported the flaw to the challenge maintainers in January 2023, described it as an mistaken authorization take a look at that permits an attacker to execute malicious code on inclined servers.
“An mistaken authorization take a look at used to be recognized inside ProjectSend model r1605 that permits an attacker to accomplish delicate movements reminiscent of enabling consumer registration and auto validation, or including new entries within the whitelist of allowed extensions for uploaded information,” it mentioned in a record revealed in July 2024.
“In the long run, this permits to execute arbitrary PHP code at the server webhosting the applying.”
VulnCheck mentioned it seen unknown risk actors concentrated on public-facing ProjectSend servers being centered by way of leveraging exploit code launched by way of Venture Discovery and Rapid7. The exploitation makes an attempt are believed to have commenced in September 2024.
The assaults have additionally been discovered to permit the consumer registration characteristic to realize post-authentication privileges for follow-on exploitation, indicating that they don’t seem to be confined to scanning for inclined cases.
“We’re most likely within the ‘attackers putting in internet shells’ territory (technically, the vulnerability additionally lets in the attacker to embed malicious JavaScript, too, which may well be a fascinating and other assault situation),” VulnCheck’s Jacob Baines mentioned.
“If an attacker has uploaded a internet shell, it may be present in a predictable location in add/information/ off of the webroot.”
An research of internet-exposed ProjectSend servers has printed {that a} mere 1% of them are the usage of the patched model (r1750), with all of the closing cases operating both an unnamed unlock or model r1605, which got here out in October 2022.
In gentle of what seems to be well-liked exploitation, customers are really helpful to use the newest patches once conceivable to mitigate the lively risk.