| At line 1 changed 6 lines |
| __November 11th, 2024 - (CVE - coming soon...pending)\\ |
| V10 versions below 10.8.3 and V11 versions below 11.2.3 are vulnerable to a password reset email exploit. If an end user clicks the link, their account is compromised. |
| (CREDIT: Stratascale Cyber Research Unit)__\\ |
| Once you update you must configure your allowed email reset URL domains.\\ |
| v10:Preferences, WebInterface, MiniURL: Set an allowed list of domains, comma separated.\\ |
| v11:Preferneces, WebInterface, Login Page: Set a domain pattern that is not just '*' as a '*' is no longer allowed.\\ |
| !!!__CrushFTP 11.0.0 to 11.3.0 are vulnerable. Update to 11.3.1+ immediately.__ |
| !!!__CrushFTP 10.0.0 to 10.8.3 are vulnerable. Update to 10.8.4+ immediately.__ |
| \\ |
|
| !!!__Automated Updating__ |
| Setting the flag "daily_check_and_auto_update_on_idle" to true in prefs.XML of CrushFTP v11.2.3_19+ will do automated daily checks and updates. |
|
| At line 11 added 4 lines |
| \\ |
| !!Vulnerability Info |
| __March 21, 2025 - Unauthenticated HTTP(S) port access on CrushFTPv10/v11 (CVE:TBA)__\\ |
| This issue affects both CrushFTP v10 and v11. The exploit does not work if you have the [DMZ] proxy instance of CrushFTP in place. The vulnerability was respnsibly disclosed, it is not being used actively in the wild that we know of, no further details will be given at this time. |
| At line 11 changed one line |
| April 19th, 2024 - CVE-2024-4040\\ |
| November 11th, 2024 - (CVE-2024-53552 - CREDIT: Stratascale Cyber Research Unit)\\ |
| V10 versions below 10.8.3 and V11 versions below 11.2.3 are vulnerable to a password reset email exploit. If an end user clicks the link, their account is compromised.\\ |
| Once you update you must configure your allowed email reset URL domains.\\ |
| v10:Preferences, WebInterface, MiniURL: Set an allowed list of domains, comma separated.\\ |
| v11:Preferneces, WebInterface, Login Page: Set a domain pattern that is not just '*' as a '*' is no longer allowed.\\ |
| ---- |
| October 10, 2024 - (CVE-2024-11986 credit European Commission, Application Security Testing Services) \\ |
| XSS bug fixed in CrushFTP 10.8.2 and 11.2.1. |
| ---- |
| April 19th, 2024 - (CVE-2024-4040)\\ |
| At line 16 changed 2 lines |
| •If I'm on v10.8.3+...do I need to upgrade to v11? No, 10.8.3+ are safe.\\ |
| •If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.8.3+ or v11.2.3+.\\ |
| •If I'm on v10.8.4+...do I need to upgrade to v11? No, 10.8.4+ are safe.\\ |
| •If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.8.4+ or v11.3.1+.\\ |
| At line 33 added one line |
| ---- |
| At line 35 changed 2 lines |
|
|
| \\ |
| \\ |
| !Fully manual offline update: |
| In some rare scenarios when neither of the above methods work, like file permissions prevent consuming the update file or overwriting the necessary components by the updater. In such case: |
| 1.) Download CrushFTP11.zip from our download page. ([https://www.crushftp.com/early11/CrushFTP11.zip|https://www.crushftp.com/early11/CrushFTP11.zip])\\ |
| 2.) Unzip it to a temporary directory\\ |
| 3.) Stop the CrushFTP service |
| 4.) Copy over the installation the full content or just the __CrushFTP.jar__ file and the __plugins and WebInterface__ subdirectories as these are. Overwrite all when prompted.\\ |
| 5.) Start the Crush service. Once back on line, clear the browser cache or check with an incognito/private browser session. \\ |
| \\ |
| ---- |
| \\ |
| At line 68 added one line |
| ---- |
| At line 70 added one line |
| ---- |
