CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5194
https://notcve.org/view.php?id=CVE-2020-5194
14 Jan 2020 — The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists. El endpoint de la API zip en Cerberus FTP Server versión 8, permite a un atacante autenticado sin permiso ... • https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-5196
https://notcve.org/view.php?id=CVE-2020-5196
14 Jan 2020 — Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission. Cerberus FTP Server Enterprise Editio... • https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements • CWE-276: Incorrect Default Permissions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5195
https://notcve.org/view.php?id=CVE-2020-5195
13 Jan 2020 — Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attack... • https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 19%CPEs: 1EXPL: 2CVE-2019-9600 – FTP Server 1.32 - Denial of Service
https://notcve.org/view.php?id=CVE-2019-9600
06 Mar 2019 — The Olive Tree FTP Server (aka com.theolivetree.ftpserver) application through 1.32 for Android allows remote attackers to cause a denial of service via a client that makes many connection attempts and drops certain packets. La aplicación Olive Tree FTP Server (también conocida como com.theolivetree.ftpserver), hasta la versión 1.32 para Android, permite a los atacantes remotos provocar una denegación de servicio (DoS) y dejar determinados paquetes. • https://www.exploit-db.com/exploits/46464 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9499 – The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting.
https://notcve.org/view.php?id=CVE-2016-9499
13 Jul 2018 — Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them. El servidor Accellion FTP en versiones anteriores a FTA_9_12_220 solo devuelve el nombre de usuario en la respuesta del servidor si el nombre de usuario no es válido. Un atacante podría usar esta información para determinar cuentas de usuario válidas y enumerarlas. • https://www.kb.cert.org/vuls/id/745607 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-204: Observable Response Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9500 – The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to informaiton exposure
https://notcve.org/view.php?id=CVE-2016-9500
13 Jul 2018 — Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting. El servidor Accellion FTP en versiones anteriores a FTA_9_12_220 emplea el componente de flash Accusoft Prizm Content, que contiene múltiples parámetros (customTabCategoryName, customButton1Image) que son vulnerables a Cross-Site Scripting (XSS). • https://www.kb.cert.org/vuls/id/745607 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-11544
https://notcve.org/view.php?id=CVE-2018-11544
29 May 2018 — The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the prefUsername and prefUserpass strings. La aplicación Olive Tree Ftp Server 1.32 para Android tiene almacenamiento inseguro de datos debido a que se almacena un nombre de usuario y una contraseña en el archivo /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetre... • https://pastebin.com/ygwczqpP • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 52%CPEs: 1EXPL: 2CVE-2017-6367 – Cerberus FTP Server 8.0.10.1 - Denial of Service
https://notcve.org/view.php?id=CVE-2017-6367
13 Mar 2017 — In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Windows service to crash. The attack methodology involves a long Host header and an invalid Content-Length header. En Cerberus FTP Server 8.0.10.1, una petición HTTP manipulada provoca que el servicio de Windows se caiga. La metodología de ataque involucra una larga cabecera Host y una cabecera Content-Length no válida. Cerberus FTP Server version 8.0.10.1 suffers from a denial of service vulnerability. • https://packetstorm.news/files/id/141608 • CWE-20: Improper Input Validation •
CVSS: 4.8EPSS: 0%CPEs: 132EXPL: 1CVE-2012-6339
https://notcve.org/view.php?id=CVE-2012-6339
31 Dec 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en l... • http://archives.neohapsis.com/archives/bugtraq/2012-12/0118.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 126EXPL: 0CVE-2012-5301
https://notcve.org/view.php?id=CVE-2012-5301
04 Oct 2012 — The default configuration of Cerberus FTP Server before 5.0.4.0 supports the DES cipher for SSH sessions, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and performing a brute-force attack on the encrypted data. La configuración por defecto de Cerberus FTP Server anteriores a v5.0.4.0 soporta el cifrado DES para sesiones SSH, lo que facilita a atacantes remotos obtener información sensible espiando la red y realizando un ataque de fuerza bruta sobre los da... • http://www.cerberusftp.com/products/releasenotes.html • CWE-310: Cryptographic Issues •