First published: Mon Jan 13 2020(Updated: )
Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Cerberusftp Ftp Server | >=10.0.0<10.0.17 | |
Cerberusftp Ftp Server | >=11.0.0<11.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-5195 refers to a vulnerability that allows for reflected cross-site scripting (XSS) in Cerberus FTP Server versions prior to 11.0.1 and 10.0.17.
CVE-2020-5195 allows a remote attacker to execute arbitrary JavaScript or HTML by exploiting a crafted public folder URL in Cerberus FTP Server.
The severity of CVE-2020-5195 is medium with a CVSS score of 6.1.
To fix CVE-2020-5195, it is recommended to upgrade Cerberus FTP Server to version 11.0.1 or 10.0.17, which contain the necessary fixes for the vulnerability.
More information about CVE-2020-5195 can be found on the Cerberus FTP Server support website and the provided reference links.