CRITICAL🇵🇱 Wersja polska

CVE-2023-43177

CVSS 9.8v3.1pub. 2023-11-18upd. 2024-11-21

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

🤖 AI Analysis
How it works

The vulnerability stems from lack of proper validation and access control to object attributes whose values are set dynamically during application runtime. An attacker can remotely manipulate these attributes by sending appropriately crafted data to the CrushFTP server without requiring any privileges. Due to the network vector (AV:N), lack of user interaction requirement (UI:N), and no required privileges (PR:N), the attack can be conducted fully remotely and without prior authentication.

Impact

Successful exploitation of this vulnerability can lead to complete server takeover – an attacker can gain access to sensitive data, modify or delete files, and cause service unavailability (complete CIA triad: confidentiality, integrity, availability – all rated as HIGH).

Mitigation & patch

CrushFTP should be immediately updated to version 10.5.1 or later. Patches are available from the vendor according to the references.

Who is affected

CrushFTP in versions prior to 10.5.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Crushftp

    APP
    Crushftp
    < 10.5.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-54309CRITICAL9.0⚠ KEVPL ✓ten sam produkt

CrushFTP – błąd walidacji AS2 umożliwia zdalny dostęp administracyjny

CVE-2025-31161CRITICAL9.8⚠ KEVPL ✓ten sam produkt

CrushFTP – pominięcie uwierzytelnienia i przejęcie konta administratora

CVE-2024-4040CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Server Side Template Injection w CrushFTP — RCE bez uwierzytelnienia

CVE-2024-53552CRITICAL9.8PL ✓ten sam produkt

CrushFTP: Przejęcie konta przez błąd w resetowaniu hasła

CVE-2017-14035CRITICAL9.8ten sam produkt

CrushFTP 8.x before 8.2.0 has a serialization vulnerability.