CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover.
The vulnerability classified as CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) involves improper handling of the password reset process. An attacker can exploit the flawed reset mechanism without needing any privileges or user interaction, conducting the attack remotely over the network. As a result, it is possible to take full control of a selected account.
An attacker can take over any user account in the CrushFTP system, gaining unauthorized access to stored data and FTP server functions. In the case of administrative account takeover, the consequences may include complete system compromise.
CrushFTP must be updated immediately to version 10.8.3 or newer (for the 10 branch) or to version 11.2.3 or newer (for the 11 branch). Details are available in the vendor documentation at: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
CrushFTP version 10 before 10.8.3 and CrushFTP version 11 before 11.2.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCrushftp
APPCrushftp10.0.0 – 10.8.3 (bez)11.0.0 – 11.2.3 (bez)
Related vulnerabilities
CrushFTP – błąd walidacji AS2 umożliwia zdalny dostęp administracyjny
CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora
Server Side Template Injection w CrushFTP — RCE bez uwierzytelnienia
CrushFTP – krytyczna podatność na manipulację atrybutami obiektów (przed wersją 10.5.1)
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.