Security Advisory Description
During a security audit, we determined that Cerberus FTP Server Enterprise versions prior to 12.2 and 11.3.10 are vulnerable to a cross-site scripting (XSS) attack. This vulnerability is located in the preview lightbox plugin jquery-colorbox. Through this, client users could run scripts on their computer when attempting to preview a file whose name contained html markup language: https://snyk.io/vuln/npm:jquery-colorbox:20171115. The ability to upload a file and have the preview run JavaScript is a security vulnerability that doesn’t have a planned remedy and is a known issue that was declined to be addressed. Due to this, we have switched to using venobox for our lightbox previews instead of colorbox.
Scope
- This vulnerability impacts the Enterprise edition of Cerberus FTP Server.
Known Affected Versions
- 12.0 releases prior to 12.2
- 11.0 releases prior to 11.3.10
- 10.0 and earlier are also affected. These versions are out of support and no longer receive updates.
Mitigation
This issue is addressed in versions 12.2 and 11.3.10. As always, Cerberus administrators are urged to upgrade to these versions or higher as soon as possible. There are no known mitigations beyond limiting files uploaded to the server.