CrushFTP Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CrushFTP version 11.3.7_50, specifically within the Admin Panel's 'Reports' section titled 'Who Created Folder'. This vulnerability allows authenticated attackers with folder creation permissions to inject malicious HTML or JavaScript. The issue arises from inadequate input sanitization, enabling the execution of injected scripts in the context of the admin user.

Impact

Exploitation of this vulnerability allows for stored HTML injection, where injected scripts are executed in the admin panel, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, log into the CrushFTP Admin Panel and navigate to the 'User Manager'. Select a user and grant them 'Create Folder' permissions. Once the permissions are set, create a new folder with a name that includes the injection payload, such as a header tag followed by text. After the folder is created, go to the 'Reports' section and run the 'Who Created Folder' report. The injected HTML will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to CrushFTP version 11.3.7_57 or later, where this vulnerability has been addressed.