Vulnerability Description
An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Crushftp | Crushftp | >= 9.0.0, < 9.4.0_15 |
Related Weaknesses (CWE)
References
- https://labs.nettitude.com/blog/cve-2021-44076-cross-site-scripting-xss-in-crushExploitThird Party Advisory
- https://www.crushftp.com/Vendor Advisory
- https://labs.nettitude.com/blog/cve-2021-44076-cross-site-scripting-xss-in-crushExploitThird Party Advisory
- https://www.crushftp.com/Vendor Advisory
FAQ
What is CVE-2021-44076?
CVE-2021-44076 is a vulnerability with a CVSS score of 4.8 (MEDIUM). An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-...
How severe is CVE-2021-44076?
CVE-2021-44076 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-44076?
Check the references section above for vendor advisories and patch information. Affected products include: Crushftp Crushftp.