#VU111844 Cross-site scripting in CrushFTP - CVE-2021-44076
Published: November 21, 2024 / Updated: June 23, 2025
Vulnerability identifier: #VU111844
Vulnerability risk: Medium
CVSSv4.0:
CVE-ID: CVE-2021-44076
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
CrushFTP
CrushFTP
Software vendor:
CrushFTP
CrushFTP
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS).
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.