Vulnerabilities > CVE-2020-5194 - Authorization Bypass Through User-Controlled Key vulnerability in Cerberusftp FTP Server 8.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements
- https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements
- https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities
- https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities