CVE-2021-44076

Name of the Vulnerable Software and Affected Versions CrushFTP version 9

Description An issue was discovered in the creation of a new user through the "/WebInterface/UserManager/" interface, allowing an attacker with access to the administration panel to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example, when the user's page appears in the Most Visited section of the page.

Recommendations For CrushFTP version 9, consider disabling the user creation feature through the /WebInterface/UserManager/ interface until a patch is available to prevent Stored Cross-Site Scripting (XSS) attacks. Restrict access to the administration panel to minimize the risk of exploitation. Avoid using the /WebInterface/UserManager/ interface for user creation until the issue is resolved.