No CVE was assigned for ProjectSend authentication vulnerability.
Multiple exploits have been published for a vulnerability in ProjectSend, despite a patch being available for over a year.
According to a blog by VulnCheck, the CVE for this vulnerability in the open-source file-sharing web application was only published on November 26th, with the company claiming that the flaw is being actively exploited.
“Due to the absence of a CVE assignment, centralized documentation was lacking,” it said. “With the CVE now assigned and evidence of ongoing exploitation, it is crucial for security companies to assess their customers' exposure, implement necessary remediations, and conduct incident response activities as needed.”
Improper authentication vulnerability
NIST claims that ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability, which would allow remote, unauthenticated attackers to exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration.
A successful exploitation would allow an attacker to create accounts, upload webshells, and embed malicious JavaScript.
According to VulnCheck, it believes it is seeing attackers installing webshells as the vulnerability allows an attacker to embed malicious JavaScript.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
