Security Advisory News! Monsta FTP 2.10.1 (CVE-2020-14057, CVE-2020-14056, CVE-2020-14055)
Arbitrary File Read and Write (CVE-2020-14057)
Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write
Server-Side Request Forgery (CVE-2020-14056)
Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files and interact with arbitrary third-party services.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191203-02_Monsta_FTP_Server-Side_Request_Forgery
Stored Cross-Site Scripting (CVE-2020-14055)
Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting vulnerability in the language setting due to insufficient output encoding.
Full security advisory: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191211-01_Monsta_FTP_Stored_XSS