CVE-2021-44076: 
CrushFTP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in CrushFTP 9 (CVE-2021-44076). The vulnerability exists in the creation of a new user through the /WebInterface/UserManager/ interface, allowing an attacker with access to the administration panel to perform Stored Cross-Site Scripting (XSS). The issue was discovered in November 2021 and was fixed in version 9.4.0_15 released in March 2022 (Nettitude Labs).

The vulnerability stems from improper server-side validation of username data in the /WebInterface/UserManager interface. While client-side sanitization prevents the creation of usernames containing special characters, an attacker can intercept and modify traffic before the username is added to the application's backend. The main vulnerability exists in the setUserItem function inside the crushftp/server/AdminControls.class file, where no input filtering is performed on the username, allowing special characters to remain unsanitized. Additionally, no output encoding is performed when the data is displayed within the affected page (Nettitude Labs).

The XSS payload can be executed in multiple scenarios, such as when the user's page appears in the Most Visited section or when attempting to delete the user. The impact of this vulnerability can lead to theft of information such as session cookies or other sensitive data, and could potentially be exploited for privilege escalation or account takeover (Nettitude Labs).

The vulnerability was fixed in CrushFTP version 9.4.0_15. Users should upgrade to this version or later to remediate the issue. For proper mitigation, the vendor implemented proper output encoding in combination with a strong content security policy (Nettitude Labs).