CVE-2024-11986

Summary

Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or 'Cross-Site Scripting'.

Affected Software

VendorProductVersion RangeStatus
CrushFTP, LLCCrushFTP10.0.0 < 10.8.2affected
CrushFTP, LLCCrushFTP11.0.0 < 11.2.1affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References