Vulnerability Description
Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cerberusftp | Ftp Server | >= 10.0.0, < 10.0.17 |
Related Weaknesses (CWE)
References
- https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-AnnouncemRelease NotesVendor Advisory
- https://www.cerberusftp.com/xss-vulnerability-in-public-shares-fixed-in-cerberusVendor Advisory
- https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilitiesThird Party Advisory
- https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-AnnouncemRelease NotesVendor Advisory
- https://www.cerberusftp.com/xss-vulnerability-in-public-shares-fixed-in-cerberusVendor Advisory
- https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilitiesThird Party Advisory
FAQ
What is CVE-2020-5195?
CVE-2020-5195 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This ...
How severe is CVE-2020-5195?
CVE-2020-5195 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5195?
Check the references section above for vendor advisories and patch information. Affected products include: Cerberusftp Ftp Server.