No CVE was assigned for ProjectSend authentication vulnerability.
Multiple exploits have been published for a vulnerability in ProjectSend, despite a patch being available for over a year.
According to a blog by VulnCheck, the CVE for this vulnerability in the open-source file-sharing web application was only published on November 26th, with the company claiming that the flaw is being actively exploited.
“Due to the absence of a CVE assignment, centralized documentation was lacking,” it said. “With the CVE now assigned and evidence of ongoing exploitation, it is crucial for security companies to assess their customers' exposure, implement necessary remediations, and conduct incident response activities as needed.”
Improper authentication vulnerability
NIST claims that ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability, which would allow remote, unauthenticated attackers to exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration.
A successful exploitation would allow an attacker to create accounts, upload webshells, and embed malicious JavaScript.
According to VulnCheck, it believes it is seeing attackers installing webshells as the vulnerability allows an attacker to embed malicious JavaScript.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
