The CrushFTP server version below 10.7.1 and 11.1.0, including legacy 9.x, is vulnerable to directory traversal. An attacker can exploit this vulnerability to access sensitive files on the server by manipulating the file path in the URL.
Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows an attacker to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.
This exploit is a proof of concept for a remote code execution vulnerability in Crush FTP 5. The vulnerability is triggered by sending a specially crafted 'APPE' command with 9000 bytes of data. This causes a buffer overflow which leads to a Blue Screen of Death (BSOD) on the target system.
Services By CQR