An issue was discovered in CrushFTP 9. The creation of a...
Moderate severity
Unreviewed
Published
Sep 16, 2022
to the GitHub Advisory Database
•
Updated Jan 28, 2023
Description
Published by the National Vulnerability Database
Sep 15, 2022
Published to the GitHub Advisory Database
Sep 16, 2022
Last updated
Jan 28, 2023
An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.
References