Hugo Clout

**Name of the Vulnerable Software and Affected Versions** ProjectSend versions prior to r1720 **Description** An improper authentication issue exists where certain PHP pages perform authorization checks only after the rest of the code has already executed, allowing unauthenticated users to perform privileged operations. Remote attackers can exploit this by sending crafted HTTP requests to the 'options.php' endpoint. This allows unauthorized modification of the application configuration, enabling attackers to create rogue accounts, upload webshells, and embed malicious JavaScript to execute arbitrary PHP code on the server. Approximately 4,000 instances of the software are available on the internet, and the flaw has been actively exploited in the wild, with attackers altering system settings to enable user registration and maintain control over compromised servers. The vulnerable parameters include `csrf token` and `section`. **Recommendations** Update to version r1720 or later. As a temporary workaround, block all POST requests to the 'options.php' endpoint. Alternatively, restrict all POST requests that contain the `csrf token` and `section` parameters in the request body.