CVE-2020-5194
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.Enginsight
Vendor | Product | Version |
---|---|---|
cerberusftp | ftp_server | 8.0 |
Common Weakness Enumeration