CrushFTP before 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
crushftp crushftp |
Over 1,400 CrushFTP servers vulnerable to actively exploited bug By Sergiu Gatlan April 25, 2024 12:40 PM 0 Over 1,400 CrushFTP servers exposed online were found vulnerable to attacks currently targeting a critical severity server-side template injection (SSTI) vulnerability previously exploited as a zero-day. While CrushFTP describes CVE-2024-4040 as a VFS sandbox escape in its managed file transfer software that enables arbitrary file reading, unauthenticated attackers can use it to ga...
CrushFTP warns users to patch exploited zero-day “immediately” By Sergiu Gatlan April 19, 2024 06:33 PM 0 CrushFTP warned customers today in a private memo of an actively exploited zero-day vulnerability fixed in new versions released today, urging them to patch their servers immediately. As the company also explains in a public security advisory published on Friday, this zero-day bug enables unauthenticated attackers to escape the user's virtual file system (VFS) and download system files. ...