Crushftp: >> Crushftp >> 10.8.5 Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-12
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
CVSS Score
5.0
EPSS Score
0.005
Published
2025-04-15
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows directory traversal via the /WebInterface/function/ URI to read files accessible by SMB at UNC share pathnames, bypassing SecurityManager restrictions.
CVSS Score
5.0
EPSS Score
0.016
Published
2025-04-15