WEB APPLICATION VULNERABILITIES Standard & Premium

CrushFTP SSTI (CVE-2024-4040)

Description

A critical server-side template injection (SSTI) vulnerability in CrushFTP enables unauthenticated attackers to read sensitive files outside the VFS Sandbox, bypass authentication to gain administrative access, and execute arbitrary code on the server.

Remediation

Upgrade to the latest version of CrushFTP

References

CrushFTP Official Update Instructions

Related Vulnerabilities

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-2033)

PHP CVE-2007-0910 Vulnerability (CVE-2007-0910)

Chamilo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-37063)

Roundcube Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-6121)

WebLogic Uncontrolled Resource Consumption Vulnerability (CVE-2022-24839)

Severity

Critical

Classification

CVE-2024-4040 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Server Side Template Injection Code Execution Known Vulnerabilities