Vulnerabilities > CVE-2020-5194 - Incorrect Authorization vulnerability in Cerberusftp FTP Server 8.0

CVSS 5.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

cerberusftp

CWE-863

NVD

Published: 2020-01-14

Updated: 2021-07-21

Summary

The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.

Vulnerable Configurations

Part	Description	Count
Application	Cerberusftp Cerberusftp FTP Server 8.0	1

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements
https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities