CVE-2019-19665: 
Rumpus vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Rumpus FTP 8.2.9.1's Web File Manager, specifically in the FTP Settings component. The vulnerability was disclosed on February 10, 2020, affecting the FTP Settings functionality accessible through RAPR/FTPSettingsSet.html (NVD, MITRE CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The attack requires user interaction but no privileges, and can be executed remotely with low attack complexity (NVD).

The vulnerability allows attackers to manipulate various FTP server configurations without authorization. Specifically, an attacker can modify settings including enabling/disabling FTP service, FTP port configurations, security settings, logs, welcome/goodbye messages, and timeout parameters. This can lead to significant changes in the server's FTP configuration when exploited successfully (GitHub Advisory).

The vulnerability affects Rumpus FTP version 8.2.9.1. Users should upgrade to a patched version of the software. Additionally, implementing CSRF tokens and proper request validation mechanisms can help prevent such attacks (NVD).