![]() ![]() Cerberus Administrators are encouraged to upgrade to these versions or higher as soon as possible. This issue is addressed in versions 11.0.1 and 10.0.17. Whether issues in this advisory affect them. 9.0 and older are out of support and no longer receiving updates.Other transfer protocols, such as FTP, SFTP, and FTPS, are unaffected.Non-Enterprise editions of Cerberus are not affected, as the HTTP(S) protocols are only a feature of the Enterprise edition.This vulnerability impacts Cerberus FTP Server Enterprise deployments using HTTP(S) listeners with Public Sharing enabled.To address this issue, the public share page’s JavaScript code now sanitizes all text received through the URL. Consequently, the JavaScript can be manipulated through a malicious URL to render arbitrary HTML and JavaScript into the page. This JavaScript code implicitly trusts the path portion of the URL, failing to sanitize it for HTML and JavaScript content. JavaScript code within the public share page uses the path to dynamically update folders and files displayed to the end-user. The path portion of the URL is used to support continued browsing through nested folders within the share. When a user creates a public share of a folder, the generated URL contains a unique key followed by a path. This XSS vulnerability allows a malicious public share to insert arbitrary JavaScript into the page. Cerberus FTP Server Enterprise Edition prior to versions 11.0.1 and 10.0.17 are vulnerable to a cross-site scripting (XSS) attack on Cerberus’ public share page. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |