Vulnerability CVE-2020-5194


Published: 2020-01-14

Description:
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.

Type:

CWE-863

(Incorrect Authorization)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.5/10
4.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Cerberusftp -> Ftp server 

 References:
https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements
https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities

Copyright 2024, cxsecurity.com

 

Back to Top