[German]Quick note to users who use CrushFTP. A blog reader has informed me that a serious vulnerability has been discovered ans has been made public on November 11, 2024. However, there are updates in which this vulnerability, for which no CVE seems to exist yet, is closed. Here are a few details what needed to know.
Advertising
What does CrushFTP do?
CrushFTP is a proprietary multi-protocol and multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered pricing model and is aimed at home and enterprise users.
CrushFTP supports the following protocols: FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV and WebDAV SSL. The software uses a graphical user interface for administration, but can also be installed as a daemon under Mac OS X, Linux, Unix and as a service under Windows.
Vulnerability in CrushFTP
Dennis F. contacted me by e-mail this week and pointed out that a serious vulnerability in CrushFTP was discovered and made public on 11.11.2024 (thanks for that). Older versions of the software are vulnerable to a password reset email exploit. If an end user clicks on the link, their account will be compromised.
The vendor's website states that all versions of CrushFTP v10 below version 10.8.3 and CrushFTP v11 below version 11.2.3 are affected. The vulnerability has been fixed in the following versions:
- CrushFTP v10.8.3+
- CrushFTP v11.2.3+
The update steps are described on the CrushFTP website. After the update, the permitted URL domains must be configured for resetting by email.
Advertising
Advertising
