CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
The vulnerability stems from lack of proper validation and access control to object attributes whose values are set dynamically during application runtime. An attacker can remotely manipulate these attributes by sending appropriately crafted data to the CrushFTP server without requiring any privileges. Due to the network vector (AV:N), lack of user interaction requirement (UI:N), and no required privileges (PR:N), the attack can be conducted fully remotely and without prior authentication.
Successful exploitation of this vulnerability can lead to complete server takeover – an attacker can gain access to sensitive data, modify or delete files, and cause service unavailability (complete CIA triad: confidentiality, integrity, availability – all rated as HIGH).
CrushFTP should be immediately updated to version 10.5.1 or later. Patches are available from the vendor according to the references.
CrushFTP in versions prior to 10.5.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCrushftp
APPCrushftp< 10.5.2
Related vulnerabilities
CrushFTP – błąd walidacji AS2 umożliwia zdalny dostęp administracyjny
CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora
Server Side Template Injection w CrushFTP — RCE bez uwierzytelnienia
CrushFTP: Przejęcie konta przez błąd w resetowaniu hasła
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.