Critical Vulnerability in Open-Source File Sharing App ProjectSend Exploited, Users Urged to Upgrade Immediately

ProjectSend, an open-source, free file-sharing application, allows users to deploy the program on their own servers to build file-sharing capabilities, facilitating the sharing of files with other users or clients.

A recent security firm's report has revealed that a critical security vulnerability in the program may have been widely exploited by hackers, allowing them to execute arbitrary code on the server.

The vulnerability, initially submitted in May 2023 and beginning to be addressed, was not fully patched until the release of version r1720 in August 2024. By November 26, 2024, the vulnerability had been assigned the identifier CVE-2024-11680, with a CVSS score of 9.8 out of 10.

The cause of the vulnerability was improper authorization checks, which allowed attackers to perform sensitive operations such as enabling user auto-registration or auto-verification, or adding new entries to the whitelist of extensions allowed to upload files.

Ultimately, this vulnerability could allow attackers to execute any PHP code on the targeted server, essentially fitting the category of a Web Shell, as technically, attackers could also embed malicious JavaScript scripts to achieve various malicious objectives.

If attackers uploaded a Web Shell, it could be found and executed in the site's /uploads/files/ directory, potentially leading to server data leaks or more harmful actions.

Why did the security firm issue a specific report? Because a global scan revealed that only 1% of servers with ProjectSend installed had updated to version r1750, with the remaining 99% running versions that either couldn't be version-checked or were on version r1605.

Therefore, if you or your company uses ProjectSend, it's crucial to upgrade immediately to prevent targeted attacks by hackers who have scanned and identified vulnerable servers.