CVE-2021-44076 - OpenCVE

An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Crushftp	Crushftp

Configuration 1 [-]

cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*

References

Link	Resource
https://labs.nettitude.com/blog/cve-2021-44076-cross-site-scripting-xss-in-crushftp/	Exploit Third Party Advisory
https://www.crushftp.com/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-15T12:35:32

Updated: 2022-09-15T12:35:32

Reserved: 2021-11-19T00:00:00

Link: CVE-2021-44076

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-15T13:15:09.593

Modified: 2022-09-17T03:45:01.677

Link: CVE-2021-44076

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-15T12:35:32", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.crushftp.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://labs.nettitude.com/blog/cve-2021-44076-cross-site-scripting-xss-in-crushftp/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-44076", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.crushftp.com/", "refsource": "MISC", "url": "https://www.crushftp.com/"}, {"name": "https://labs.nettitude.com/blog/cve-2021-44076-cross-site-scripting-xss-in-crushftp/", "refsource": "MISC", "url": "https://labs.nettitude.com/blog/cve-2021-44076-cross-site-scripting-xss-in-crushftp/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-44076", "datePublished": "2022-09-15T12:35:32", "dateReserved": "2021-11-19T00:00:00", "dateUpdated": "2022-09-15T12:35:32", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}