CVE-2020-5194
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.
El endpoint de la API zip en Cerberus FTP Server versiĆ³n 8, permite a un atacante autenticado sin permiso zip usar la funcionalidad zip por medio de un endpoint API sin restricciones. La comprobaciĆ³n de permisos inapropiada ocurre cuando se llama al endpoint file/ajax_download_zip/zip_name. El resultado es que un usuario sin permisos puede comprimir y descargar archivos inclusive si no tiene permiso para visualizar si el archivo existe.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-02 CVE Reserved
- 2020-01-14 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements | 2021-07-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cerberusftp Search vendor "Cerberusftp" | Ftp Server Search vendor "Cerberusftp" for product "Ftp Server" | 8.0 Search vendor "Cerberusftp" for product "Ftp Server" and version "8.0" | - |
Affected
| ||||||