CVE-2020-5194

Name of the Vulnerable Software and Affected Versions Cerberus FTP Server version 8

Description The issue concerns improper permission verification in the zip API endpoint, allowing an authenticated attacker without zip permission to utilize the zip functionality. This occurs when calling the "file/ajax download zip/zip name" API endpoint, enabling a user without permissions to zip and download files, even if they cannot view whether the file exists.

Recommendations For Cerberus FTP Server version 8, restrict access to the "file/ajax download zip/zip name" API endpoint until a patch is available, to prevent unauthorized users from zipping and downloading files.