ID CVE-2020-5194
Summary The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.
References
Vulnerable Configurations
  • cpe:2.3:a:cerberusftp:ftp_server:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:cerberusftp:ftp_server:8.0:*:*:*:*:*:*:*
CVSS
Base: 5.5
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
Last major update 14-01-2020 - 14:15
Published 14-01-2020 - 14:15
Last modified 24-01-2020 - 14:16
Back to Top