Platform
crushftp
Component
crushftp
Fixed in
10.8.2
11.2.1
CVE-2024-11986 describes a stored Cross-Site Scripting (XSS) vulnerability affecting CrushFTP Server. This flaw allows an unauthenticated attacker to inject malicious scripts into the application's log files. When an administrator subsequently views these logs, the stored script executes, potentially compromising the administrator's session and leading to further exploitation. This vulnerability impacts versions 10.0.0 through 11.2.1, and a patch is available in version 11.2.1.
The impact of this XSS vulnerability is significant. An attacker can leverage it to execute arbitrary JavaScript code within the context of the administrator's session. This could lead to account takeover, data theft, or even complete control of the CrushFTP server. The attacker doesn't need authentication to initially inject the payload, making it a highly accessible attack vector. Successful exploitation could allow an attacker to steal sensitive files stored and managed by CrushFTP, including credentials and confidential data. The blast radius extends to any data accessible by the administrator account.
CVE-2024-11986 was publicly disclosed on December 13, 2024. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.78% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11986 is to upgrade CrushFTP Server to version 11.2.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict access to the log files to authorized administrators only. Implement strict input validation and sanitization on all user-supplied data, particularly when handling host headers. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious payloads. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the host header and verifying that it does not execute when the logs are viewed.
Update CrushFTP to version 10.8.2 or later, or to version 11.2.1 or later, as appropriate. This will correct the stored XSS vulnerability by properly sanitizing the Host header input before writing it to the logs. Refer to the CrushFTP website for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11986 is a CRITICAL stored Cross-Site Scripting (XSS) vulnerability in CrushFTP Server versions 10.0.0–11.2.1, allowing attackers to inject malicious scripts into server logs.
You are affected if you are running CrushFTP Server versions 10.0.0 through 11.2.1. Upgrade to version 11.2.1 or later to resolve the vulnerability.
The recommended fix is to upgrade CrushFTP Server to version 11.2.1 or later. As a temporary workaround, restrict log file access and implement input validation.
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity suggests a high probability of exploitation.
Refer to the official CrushFTP security advisory for detailed information and updates: [https://knowledgebase.crushftp.com/display/CRFTS/Security+Advisories](https://knowledgebase.crushftp.com/display/CRFTS/Security+Advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.