exploitDog

CVE-2025-63420

Опубликовано: 07 нояб. 2025

Источник: nvd

CVSS3: 4.1

EPSS Низкий

Описание

CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.

Ссылки

https://gist.github.com/MMAKINGDOM/791d264c27656f0a4aa3c0ae35075e70
Exploit
Third Party Advisory
https://github.com/MMAKINGDOM/CVE-2025-63420/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*

Версия от 11.0.1 (включая) до 11.3.7_57 (исключая)

EPSS

Процентиль: 15%

0.0005

Низкий

4.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-4pqv-hw6c-g45v

github

3 месяца назад

A stored cross-site scripting (XSS) vulnerability in the CrushFTP 11.3.7_50 Admin Panel (Reports / 'Who Created Folder') allows authenticated attackers with permissions to create folders to inject malicious HTML/JavaScript.

EPSS

Процентиль: 15%

0.0005

Низкий

4.1 Medium

CVSS3

Дефекты

CWE-79