Description

An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.

Remediation

References

CVE-2021-44076

Related Vulnerabilities

WordPress Plugin Translate WordPress with GTranslate Cross-Site Scripting (2.8.51)

Oracle Database Server Create Session privilege issue (CVE-2021-1993)

Joomla! Core 3.9.x CSV Injection (3.9.0 - 3.9.6)

phpMyAdmin Other Vulnerability (CVE-2005-3621)

Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-20100)

Severity

Medium

Classification

CVE-2021-44076 CWE-707 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities