Unauthenticated Payload Execution through Improper Input Handling in Web Application Logs
CVE-2024-11986

9.6CRITICAL

Key Information:

Vendor: Crushftp, Llc
Status: Crushftp
Vendor: CVE Published:; 13 December 2024

Summary

The vulnerability arises from improper handling of input in the 'Host Header' within the CrushFTP web application. An unauthenticated attacker can exploit this weakness to inject a payload into web application logs. When an administrator accesses the logs through the standard functionality provided by CrushFTP, the injected payload can execute, leading to stored Cross-Site Scripting (XSS). This type of vulnerability allows attackers to potentially manipulate the web application's behavior or steal sensitive information from users.

Affected Version(s)

CrushFTP Windows 10.0.0 < 10.8.2

CrushFTP Windows 11.0.0 < 11.2.1

References

https://crushftp.com/crush11wiki/Wiki.jsp?page=Update

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Nov 29, 2024

Credit

European Commission, Application Security Testing Services