CVE-2021-44076: XSS
First published: Thu Sep 15 2022(Updated: )
An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CrushFTP CrushFTP | >=9.0.0<9.4.0_15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-44076?
The severity of CVE-2021-44076 is medium with a severity value of 4.8.
What is the vulnerability type of CVE-2021-44076?
CVE-2021-44076 is a Stored Cross-Site Scripting (XSS) vulnerability.
How does CVE-2021-44076 occur?
CVE-2021-44076 occurs when a new user is created through the /WebInterface/UserManager/ interface in CrushFTP 9, allowing an attacker with access to the administration panel to perform Stored Cross-Site Scripting.
Which versions of CrushFTP are affected by CVE-2021-44076?
CrushFTP versions between 9.0.0 to 9.4.0_15 are affected by CVE-2021-44076.
How can the CVE-2021-44076 vulnerability be fixed?
To fix CVE-2021-44076 vulnerability, users should update to a version of CrushFTP that is not affected by this vulnerability.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/event
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/crushftp
- canonical/crushftp crushftp
- version/crushftp crushftp/9.0.0