Stored Cross-Site Scripting in CrushFTP by Crush FTP, Inc.
CVE-2021-44076

4.8MEDIUM

Key Information:

Vendor: Crushftp
Status: Crushftp
Vendor: CVE Published:; 15 September 2022

Summary

A vulnerability was identified in CrushFTP 9 that permits an attacker with administrative access to exploit the /WebInterface/UserManager/ system. This exploitation occurs by creating a new user, thereby enabling Stored Cross-Site Scripting (XSS). The injected malicious payload can manifest in various ways, including executing when the user's profile is viewed in the Most Visited section. This flaw poses a risk as it can lead to unauthorized actions and data breaches, making it crucial for administrators to secure their environments promptly.

References

https://www.crushftp.com/

x_refsource_MISC

https://labs.nettitude.com/blog/cve-2021-44076-cross-site...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 15, 2022
Vulnerability Reserved
Nov 19, 2021