CVE-2024-4040 Vulnerability Details

  /     /     /  

CVE-2024-4040 Metadata Quick Info

CVE Published: 22/04/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: directcyber | Vendor: CrushFTP | Product: CrushFTP
Status : PUBLISHED

---

CVE-2024-4040 Description

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Metrics

CVSS Version: 3.1 | Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-1336
CWE Name: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Source: CrushFTP

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: Arbitrary File Read


Source: NVD (National Vulnerability Database).