MidnightBSD

Advisories for cerberusftp

CVE-2004-2769 MEDIUM

Cerberus FTP Server before 4.0.3.0 allows remote authenticated users to list hidden files, even when the "Display hidden files" option is enabled, via the (1) MLSD or (2) MLST commands.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
cerberusftp ftp_server 2.49
cerberusftp ftp_server 2.42
cerberusftp ftp_server 3.0.7
cerberusftp ftp_server 3.0.8
cerberusftp ftp_server 4.0.1.1
cerberusftp ftp_server 2.1
cerberusftp ftp_server 3.0.2
cerberusftp ftp_server 4.0.0.9
cerberusftp ftp_server 3.0.5
cerberusftp ftp_server 3.1.3.1
cerberusftp ftp_server 1.2
cerberusftp ftp_server *
cerberusftp ftp_server 2.23
cerberusftp ftp_server 2.43
cerberusftp ftp_server 2.31
cerberusftp ftp_server 2.45
cerberusftp ftp_server 2.01
cerberusftp ftp_server 3.1
cerberusftp ftp_server 1.03
cerberusftp ftp_server 3.1.1
cerberusftp ftp_server 3.1.0.3
cerberusftp ftp_server 3.0.3
cerberusftp ftp_server 2.44
cerberusftp ftp_server 2.16
cerberusftp ftp_server 2.48
cerberusftp ftp_server 1.1
cerberusftp ftp_server 2.22
cerberusftp ftp_server 2.15
cerberusftp ftp_server 3.1.0.4
cerberusftp ftp_server 2.3
cerberusftp ftp_server 3.1.0.5
cerberusftp ftp_server 3.0.1
cerberusftp ftp_server 4.0.1
cerberusftp ftp_server 1.71
cerberusftp ftp_server 2.11
cerberusftp ftp_server 2.47
cerberusftp ftp_server 3.0.6
cerberusftp ftp_server 1.22
cerberusftp ftp_server 3.1.4
cerberusftp ftp_server 1.0
cerberusftp ftp_server 4.0.0
cerberusftp ftp_server 3.1.3
cerberusftp ftp_server 3.1.2
cerberusftp ftp_server 2.21
cerberusftp ftp_server 2.4
cerberusftp ftp_server 2.50
cerberusftp ftp_server 2.0
cerberusftp ftp_server 2.2
cerberusftp ftp_server 1.01
cerberusftp ftp_server 1.05
cerberusftp ftp_server 1.6
cerberusftp ftp_server 3.0.4
cerberusftp ftp_server 4.0.0.8
cerberusftp ftp_server 1.7
cerberusftp ftp_server 2.46
cerberusftp ftp_server 3.0
cerberusftp ftp_server 2.32
cerberusftp ftp_server 1.5
cerberusftp ftp_server 2.41
cerberusftp ftp_server 4.0.0.6
cerberusftp ftp_server 2.02
cerberusftp ftp_server 1.02
cerberusftp ftp_server 4.0.0.11
cerberusftp ftp_server 4.0.2
cerberusftp ftp_server 3.0.7.1
CVE-2012-6339 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
cerberusftp ftp_server 4.0.2.2
cerberusftp ftp_server 4.0.5.2
cerberusftp ftp_server 4.0.9.5
cerberusftp ftp_server 4.0.4.1
cerberusftp ftp_server 2.49
cerberusftp ftp_server 2.42
cerberusftp ftp_server 4.0.4.3
cerberusftp ftp_server 4.0.9.6
cerberusftp ftp_server 5.0.4.2
cerberusftp ftp_server 3.0.2
cerberusftp ftp_server 3.1.3.1
cerberusftp ftp_server 1.2
cerberusftp ftp_server *
cerberusftp ftp_server 4.0.7.5
cerberusftp ftp_server 2.23
cerberusftp ftp_server 4.0.5.5
cerberusftp ftp_server 4.0.9.1
cerberusftp ftp_server 2.31
cerberusftp ftp_server 2.45
cerberusftp ftp_server 2.01
cerberusftp ftp_server 3.1
cerberusftp ftp_server 1.03
cerberusftp ftp_server 3.1.1
cerberusftp ftp_server 5.0.4.0
cerberusftp ftp_server 3.0.3
cerberusftp ftp_server 5.0.3.0
cerberusftp ftp_server 2.48
cerberusftp ftp_server 4.0.8.3
cerberusftp ftp_server 4.0.9.0
cerberusftp ftp_server 4.0.9.8
cerberusftp ftp_server 2.15
cerberusftp ftp_server 3.1.0.4
cerberusftp ftp_server 3.1.0.5
cerberusftp ftp_server 3.0.1
cerberusftp ftp_server 4.0.1
cerberusftp ftp_server 4.0.9.2
cerberusftp ftp_server 5.0.0.2
cerberusftp ftp_server 1.71
cerberusftp ftp_server 2.11
cerberusftp ftp_server 3.0.6
cerberusftp ftp_server 4.0.3.3
cerberusftp ftp_server 1.0
cerberusftp ftp_server 5.0.2.0
cerberusftp ftp_server 4.0.0
cerberusftp ftp_server 3.1.3
cerberusftp ftp_server 4.0.7.3
cerberusftp ftp_server 4.0.5.3
cerberusftp ftp_server 4.0.3.2
cerberusftp ftp_server 2.4
cerberusftp ftp_server 2.2
cerberusftp ftp_server 1.01
cerberusftp ftp_server 1.05
cerberusftp ftp_server 1.6
cerberusftp ftp_server 1.7
cerberusftp ftp_server 2.32
cerberusftp ftp_server 5.0.4.1
cerberusftp ftp_server 1.5
cerberusftp ftp_server 2.41
cerberusftp ftp_server 4.0.7
cerberusftp ftp_server 5.0.3.1
cerberusftp ftp_server 4.0.0.6
cerberusftp ftp_server 4.0.9.3
cerberusftp ftp_server 2.02
cerberusftp ftp_server 5.0.0.7
cerberusftp ftp_server 4.0.0.11
cerberusftp ftp_server 4.0.2
cerberusftp ftp_server 3.0.7.1
cerberusftp ftp_server 5.0.1.0
cerberusftp ftp_server 4.0.3.0
cerberusftp ftp_server 5.0.0.4
cerberusftp ftp_server 3.0.7
cerberusftp ftp_server 3.0.8
cerberusftp ftp_server 4.0.1.1
cerberusftp ftp_server 2.1
cerberusftp ftp_server 4.0.0.9
cerberusftp ftp_server 3.0.5
cerberusftp ftp_server 4.0.11.0
cerberusftp ftp_server 5.0.1.1
cerberusftp ftp_server 4.0.8.1
cerberusftp ftp_server 2.43
cerberusftp ftp_server 4.0.6
cerberusftp ftp_server 4.0.4.0
cerberusftp ftp_server 4.0.10.0
cerberusftp ftp_server 3.1.0.3
cerberusftp ftp_server 4.0.8.0
cerberusftp ftp_server 2.44
cerberusftp ftp_server 5.0.1.2
cerberusftp ftp_server 2.16
cerberusftp ftp_server 1.1
cerberusftp ftp_server 2.22
cerberusftp ftp_server 4.0.7.6
cerberusftp ftp_server 2.3
cerberusftp ftp_server 4.0.9.4
cerberusftp ftp_server 2.47
cerberusftp ftp_server 1.22
cerberusftp ftp_server 3.1.4
cerberusftp ftp_server 4.0.9.7
cerberusftp ftp_server 3.1.2
cerberusftp ftp_server 5.0.4.3
cerberusftp ftp_server 4.0.3.1
cerberusftp ftp_server 5.0.0.3
cerberusftp ftp_server 2.21
cerberusftp ftp_server 5.0.0.6
cerberusftp ftp_server 4.0.7.2
cerberusftp ftp_server 5.0.0.1
cerberusftp ftp_server 2.50
cerberusftp ftp_server 4.0.4.2
cerberusftp ftp_server 2.0
cerberusftp ftp_server 4.0.5.4
cerberusftp ftp_server 3.0.4
cerberusftp ftp_server 4.0.0.8
cerberusftp ftp_server 2.46
cerberusftp ftp_server 3.0
cerberusftp ftp_server 5.0.0.0
cerberusftp ftp_server 5.0.0.5
cerberusftp ftp_server 5.0.5.0
cerberusftp ftp_server 4.0.5
cerberusftp ftp_server 1.02
CVE-2017-6367 MEDIUM

In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Windows service to crash. The attack methodology involves a long Host header and an invalid Content-Length header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
cerberusftp ftp_server 8.0.10.1
CVE-2019-25046 MEDIUM

The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11.x before 11.0.4 allows XSS via an SVG document.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
cerberusftp ftp_server *
CVE-2020-5194 MEDIUM

The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
cerberusftp ftp_server 8.0
CVE-2020-5195 MEDIUM

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
cerberusftp ftp_server *
CVE-2020-5196 MEDIUM

Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
cerberusftp ftp_server *