CrushFTP before 11.3.7_60 is vulnerable to HTML Injection. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitzations leading to HTML Injection.
CWE-79 — Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NThe CrushFTP Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitzations leading to HTMLi, While the feature intentionally supports limited HTML code usage, lack of sanitzations makes this injection unintentional and poses a low integrity impact.
- Navigate to http://127.0.0.1:8080/
- Select a file ( Just incase there are no files an attacker must upload one and then proceed with the other steps )
- Click on "Rename" and rename the file to:
test<h1>HACKED</h1>test.txt
- Select the file
- Click on "Share" and observe the unintentional HTMLi:
Muntadhar M. Ahmed (almuntadhar0x01)