Login Sign Up

CVE-2024-7658

5.3 MEDIUM

📋 TL;DR

This vulnerability in ProjectSend allows improper control of resource identifiers in the get_preview function of process.php, potentially enabling unauthorized access to files. It affects ProjectSend installations up to version r1605. Remote attackers could exploit this to access restricted resources.

💻 Affected Systems

Products:
  • ProjectSend
Versions: up to r1605
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All ProjectSend installations up to r1605 are affected regardless of configuration.

📦 What is this software?

Projectsend by Projectsend

View all CVEs affecting Projectsend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive files stored in ProjectSend, potentially including confidential documents or system files.

🟠

Likely Case

Limited file disclosure or directory traversal to access files within the ProjectSend directory structure.

🟢

If Mitigated

No impact if proper file permissions and access controls are configured.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability description indicates remote exploitation is possible, suggesting low complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: r1720

Vendor Advisory: https://github.com/projectsend/projectsend/releases/tag/r1720

Restart Required: No

Instructions:

1. Backup your current ProjectSend installation and database. 2. Download version r1720 from the official GitHub releases. 3. Replace the existing files with the new version, preserving your configuration files. 4. Verify the patch commit eb5a04774927e5855b9d0e5870a2aae5a3dc5a08 is present.

🔧 Temporary Workarounds

Restrict access to process.php

all

Temporarily block or restrict access to the vulnerable process.php file

# For Apache: Add to .htaccess
<Files "process.php">
    Order Deny,Allow
    Deny from all
</Files>
# For Nginx: Add to server block
location ~ /process\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Implement strict file permissions and access controls on the ProjectSend directory
  • Deploy a web application firewall (WAF) with rules to block resource identifier manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check your ProjectSend version by examining the version file or checking the admin panel. If version is r1605 or earlier, you are vulnerable.

Check Version:

grep -r 'version' includes/version.php 2>/dev/null || cat includes/version.php

Verify Fix Applied:

Verify the patch commit eb5a04774927e5855b9d0e5870a2aae5a3dc5a08 exists in your installation by checking git history or file timestamps.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to process.php with get_preview parameter
  • Multiple failed attempts to access restricted file paths

Network Indicators:

  • HTTP requests to process.php with suspicious resource identifiers in parameters

SIEM Query:

source="web_logs" AND uri="*process.php*" AND (query="*get_preview*" OR query="*resource*" OR query="*file*")

📊 Metadata

CVE ID: CVE-2024-7658
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-99
Published: August 12, 2024
Last Updated: January 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7658, you might also want to check these:

CVE-2025-43491 9.8

A vulnerability in Poly Lens Desktop for Windows allows local attackers to modify filesystem permiss...

Same vulnerability type (CWE-99)
CVE-2025-0756 9.1

This vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows attackers to injec...

Same vulnerability type (CWE-99)
CVE-2024-57971 9.1

This vulnerability in Knowage Server allows attackers to perform JNDI injection attacks by manipulat...

Same vulnerability type (CWE-99)