CVE-2024-11986 – Stored XSS in CrushFTP

https://notcve.org/view.php?id=CVE-2024-11986

13 Dec 2024 — Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or 'Cross-Site Scripting'. • https://crushftp.com/crush11wiki/Wiki.jsp?page=Update • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •