Vulnerabilities > CVE-2020-5194 - Authorization Bypass Through User-Controlled Key vulnerability in Cerberusftp FTP Server 8.0

CVSS 5.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

cerberusftp

CWE-639

NVD

Published: 2020-01-14

Updated: 2021-07-21

Summary

The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.

Vulnerable Configurations

Part	Description	Count
Application	Cerberusftp Cerberusftp FTP Server 8.0	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements
https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities