MidnightBSD

Advisories for maxum

CVE-2019-19368 MEDIUM

A Reflected Cross Site Scripting was discovered in the Login page of Rumpus FTP Web File Manager 8.2.9.1. An attacker can exploit it by sending a crafted link to end users and can execute arbitrary Javascripts

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
maxum rumpus 8.2.9.1
CVE-2019-19659 MEDIUM

A CSRF vulnerability exists in the Web File Manager's Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users' details, and escalate privileges via RAPR/DefineUsersSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus 8.2.9.1
CVE-2019-19660 MEDIUM

A CSRF vulnerability exists in the Web File Manager's Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus 8.2.9.1
CVE-2019-19661 MEDIUM

A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19662 MEDIUM

A CSRF vulnerability exists in the Web File Manager's Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can Create and Delete accounts via RAPR/TriggerServerFunction.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19663 MEDIUM

A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus 8.2.9.1
CVE-2019-19664 MEDIUM

A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19665 MEDIUM

A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server FTP settings at RAPR/FTPSettingsSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus 8.2.9.1
CVE-2019-19666 MEDIUM

A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19667 MEDIUM

A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19668 MEDIUM

A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19669 MEDIUM

A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1. This could allow an attacker to delete, create, and update the upload forms via RAPR/TriggerServerFunction.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2019-19670 MEDIUM

A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1. A successful exploit can result in stored XSS, website defacement, etc. via ExtraHTTPHeader to RAPR/WebSettingsGeneralSet.html.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
maxum rumpus_ftp 8.2.9.1
CVE-2020-12737 MEDIUM

An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. Authenticated users can perform a path traversal using double escaped characters, enabling read access to arbitrary files on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
maxum rumpus *
CVE-2020-27574 MEDIUM

Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site request forgery (CSRF). If an authenticated user visits a malicious page, unintended actions could be performed in the web application as the authenticated user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
maxum rumpus 8.2.13
maxum rumpus 8.2.14
CVE-2020-27575 MEDIUM

Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
maxum rumpus 8.2.13
maxum rumpus 8.2.14
CVE-2020-27576 LOW

Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
maxum rumpus 8.2.13
maxum rumpus 8.2.14
CVE-2020-8514 MEDIUM

An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a directory name, it is possible to activate JavaScript in the context of the web application after invoking the rename folder functionality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
maxum rumpus 8.2.10
CVE-2022-39187

Rumpus - FTP server version 9.0.7.1 has a Reflected cross-site scripting (RXSS) vulnerability through unspecified vectors.

Products Affected

Vendor Product Version
maxum rumpus *
CVE-2022-46367

Rumpus - FTP server Cross-site request forgery (CSRF) – Privilege escalation vulnerability that may allow privilege escalation.

Products Affected

Vendor Product Version
maxum rumpus *
CVE-2022-46368

Rumpus - FTP server version 9.0.7.1 Cross-site request forgery (CSRF) – vulnerability may allow unauthorized action on behalf of authenticated users.

Products Affected

Vendor Product Version
maxum rumpus *
CVE-2022-46369

Rumpus - FTP server version 9.0.7.1 Persistent cross-site scripting (PXSS) – vulnerability may allow inserting scripts into unspecified input fields.

Products Affected

Vendor Product Version
maxum rumpus *
CVE-2022-46370

Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification.

Products Affected

Vendor Product Version
maxum rumpus *
CVE-2025-55055

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
maxum rumpus 9.0.12
CVE-2025-55056

Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
maxum rumpus 9.0.12
CVE-2025-55057

Multiple CWE-352 Cross-Site Request Forgery (CSRF)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 4.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N 0.9 3.6

Products Affected

Vendor Product Version
maxum rumpus 9.0.12
CVE-2025-55058

CWE-20 Improper Input Validation

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 4.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H 0.9 3.6

Products Affected

Vendor Product Version
maxum rumpus 9.0.12
CVE-2025-55059

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
maxum rumpus 9.0.12