Sign-up

ID

VAR-202001-1602


CVE

CVE-2020-5195


TITLE

Cerberus FTP Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2020-001388

DESCRIPTION

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker. Cerberus FTP Server Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Cerberus FTP Server is a multi-channel Windows FTP server. In addition to the regular FTP functions, it also provides users with file access and management permissions, and can perform connection restrictions, time, IP access, and multipath priority settings

Trust: 2.16

sources: NVD: CVE-2020-5195 // JVNDB: JVNDB-2020-001388 // CNVD: CNVD-2020-07242

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-07242

AFFECTED PRODUCTS

vendor:cerberusmodel:ftp serverscope:ltversion:11.0.1

Trust: 1.4

vendor:cerberusmodel:ftp serverscope:ltversion:10.0.17

Trust: 1.4

vendor:cerberusftpmodel:ftp serverscope:gteversion:10.0.0

Trust: 1.0

vendor:cerberusftpmodel:ftp serverscope:gteversion:11.0.0

Trust: 1.0

vendor:cerberusftpmodel:ftp serverscope:ltversion:10.0.17

Trust: 1.0

vendor:cerberusftpmodel:ftp serverscope:ltversion:11.0.1

Trust: 1.0

sources: CNVD: CNVD-2020-07242 // JVNDB: JVNDB-2020-001388 // NVD: CVE-2020-5195

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-5195
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-5195
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-07242
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202001-423
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-5195
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-07242
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-5195
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2020-5195
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-07242 // JVNDB: JVNDB-2020-001388 // CNNVD: CNNVD-202001-423 // NVD: CVE-2020-5195

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-001388 // NVD: CVE-2020-5195

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-423

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202001-423

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-001388

PATCH
title:Announcementsurl:https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements
Trust: 0.8
title:XSS Vulnerability in Public Shares fixed in Cerberus FTP Server version 11.0.1 and 10.0.17url:https://www.cerberusftp.com/xss-vulnerability-in-public-shares-fixed-in-cerberus-ftp-server-version-11-0-1-and-10-0-17/
Trust: 0.8
title:Patch for Cerberus FTP Server Cross-Site Scripting Vulnerability (CNVD-2020-07242)url:https://www.cnvd.org.cn/patchInfo/show/200639
Trust: 0.6
title:Cerberus FTP Server Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=106777
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-07242 // 
            
            
            
            JVNDB: JVNDB-2020-001388 // 
            
            
            
            CNNVD: CNNVD-202001-423

EXTERNAL IDS
db:NVDid:CVE-2020-5195
Trust: 3.0
db:JVNDBid:JVNDB-2020-001388
Trust: 0.8
db:CNVDid:CNVD-2020-07242
Trust: 0.6
db:CNNVDid:CNNVD-202001-423
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-07242 // 
            
            
            
            JVNDB: JVNDB-2020-001388 // 
            
            
            
            CNNVD: CNNVD-202001-423 // 
            
            
            
            NVD: CVE-2020-5195

REFERENCES
url:https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities
Trust: 2.4
url:https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-announcements
Trust: 1.6
url:https://www.cerberusftp.com/xss-vulnerability-in-public-shares-fixed-in-cerberus-ftp-server-version-11-0-1-and-10-0-17/
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5195
Trust: 1.4
url:https://nvd.nist.gov/vuln/detail/cve-2020-5195
Trust: 1.4
sources:
            
            
            CNVD: CNVD-2020-07242 // 
            
            
            
            JVNDB: JVNDB-2020-001388 // 
            
            
            
            CNNVD: CNNVD-202001-423 // 
            
            
            
            NVD: CVE-2020-5195

SOURCES
db:CNVDid:CNVD-2020-07242
db:JVNDBid:JVNDB-2020-001388
db:CNNVDid:CNNVD-202001-423
db:NVDid:CVE-2020-5195

LAST UPDATE DATE
2024-11-23T23:08:06.751000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-07242date:2020-02-14T00:00:00
db:JVNDBid:JVNDB-2020-001388date:2020-02-05T00:00:00
db:CNNVDid:CNNVD-202001-423date:2021-01-04T00:00:00
db:NVDid:CVE-2020-5195date:2024-11-21T05:33:39.490

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-07242date:2020-02-14T00:00:00
db:JVNDBid:JVNDB-2020-001388date:2020-02-05T00:00:00
db:CNNVDid:CNNVD-202001-423date:2020-01-13T00:00:00
db:NVDid:CVE-2020-5195date:2020-01-13T18:15:14.610