CrushFTP up to and including 8.3.0 is vulnerable to credentials theft via URL redirection.
crushftp crushftp