10.8.2
11.2.1
CVE-2024-11986 describes a stored Cross-Site Scripting (XSS) vulnerability affecting CrushFTP Server. This flaw allows an unauthenticated attacker to inject malicious scripts into the application's log files. When an administrator subsequently views these logs, the stored script executes, potentially compromising the administrator's session and leading to further exploitation. This vulnerability impacts versions 10.0.0 through 11.2.1, and a patch is available in version 11.2.1.
This vulnerability poses a significant risk because it allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an administrator's session. Successful exploitation could lead to account takeover, data theft, defacement of the web application, or even complete system compromise. The attacker could steal sensitive information like user credentials, configuration files, or proprietary data stored within CrushFTP. Given the administrator privileges potentially compromised, the blast radius extends beyond the CrushFTP application itself, potentially enabling lateral movement to other systems on the network. This vulnerability shares similarities with other XSS vulnerabilities where log injection is used to bypass authentication and deliver malicious payloads.
CVE-2024-11986 was publicly disclosed on December 13, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No KEV listing exists as of this writing. Public proof-of-concept code is likely to emerge given the vulnerability's nature and severity.
Organizations using CrushFTP Server for file transfer and management, particularly those with legacy configurations or shared hosting environments, are at risk. Administrators who routinely access and review CrushFTP server logs are especially vulnerable to exploitation.
• crushftp: Examine CrushFTP server logs for unusual or unexpected JavaScript code.
grep -i 'alert\(' /path/to/crushftp/logs/server.log• crushftp: Check the CrushFTP configuration for improperly sanitized host headers.
Get-ChildItem -Path "HKCU:\Software\CrushFTP\Server" -Recurse | Where-Object {$_.PSProperty -like "*HostHeader*"} | Format-List Name, Value• generic web: Monitor access logs for requests containing suspicious JavaScript payloads in the Host header.
grep -i 'alert\(' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.78% (74% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-11986 is to immediately upgrade CrushFTP to version 11.2.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the CrushFTP logs to authorized personnel only. Implement strict input validation and sanitization on the 'Host Header' field to prevent malicious input. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block suspicious requests. Monitor CrushFTP logs for unusual activity or unexpected script execution.
Aktualisieren Sie CrushFTP auf Version 10.8.2 oder höher oder auf Version 11.2.1 oder höher, je nach Bedarf. Dies behebt die Stored XSS-Schwachstelle, indem die Host-Header-Eingabe vor dem Schreiben in die Logs ordnungsgemäß bereinigt wird. Weitere Informationen zur Aktualisierung finden Sie auf der CrushFTP-Website.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-11986 is a CRITICAL stored Cross-Site Scripting (XSS) vulnerability in CrushFTP Server versions 10.0.0–11.2.1, allowing attackers to inject malicious scripts into server logs.
You are affected if you are running CrushFTP Server versions 10.0.0 through 11.2.1. Upgrade to version 11.2.1 or later to resolve the vulnerability.
The recommended fix is to upgrade CrushFTP Server to version 11.2.1 or later. As a temporary workaround, restrict log file access and implement input validation.
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity suggests a high probability of exploitation.
Refer to the official CrushFTP security advisory for detailed information and updates: [https://knowledgebase.crushftp.com/display/CRFTS/Security+Advisories](https://knowledgebase.crushftp.com/display/CRFTS/Security+Advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.