WEB APPLICATION VULNERABILITIES Standard & Premium

CrushFTP Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-44076)

Description

An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.

Remediation

References

Related Vulnerabilities

Oracle Database Server Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-6477)

WordPress Plugin TheThe Layout Grid Cross-Site Scripting (1.0.0)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2008-2068)

Apache Traffic Server Improper Authentication Vulnerability (CVE-2021-44759)

WordPress Plugin Sticky Menu on Scroll, Sticky Header, Sticky Welcome Bar for Any Theme-myStickymenu Unspecified Vulnerability (2.1.4)

Severity

Medium

Classification

CVE-2021-44076 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities