CVE-2020-8514

1. > [Suggested description]
2. > An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a
3. > filename, it is possible to activate JavaScript in the context of the
4. > web application after invoking the rename folder functionality.
5. >
6. > ------------------------------------------
7. >
8. > [Vulnerability Type]
9. > Cross Site Scripting (XSS)
10. >
11. > ------------------------------------------
12. >
13. > [Vendor of Product]
14. > Maxum
15. >
16. > ------------------------------------------
17. >
18. > [Affected Product Code Base]
19. > Rumpus FTP Web File Manager - 8.2.10 for Mac OSX
20. >
21. > ------------------------------------------
22. >
23. > [Affected Component]
24. > The rename folder functionality.
25. >
26. > ------------------------------------------
27. >
28. > [Attack Type]
29. > Remote
30. >
31. > ------------------------------------------
32. >
33. > [Impact Code execution]
34. > true
35. >
36. > ------------------------------------------
37. >
38. > [Impact Escalation of Privileges]
39. > true
40. >
41. > ------------------------------------------
42. >
43. > [Attack Vectors]
44. > By creating a folder with the name <img src=/ onerror=alert(0);> and
45. > then clicking 'rename' in the cog icon, we can observe that the
46. > browser will interpret the injected javascript.
47. >
48. > ------------------------------------------
49. >
50. > [Reference]
51. > https://www.maxum.com/Rumpus/Download.html
52. >
53. > ------------------------------------------
54. >
55. > [Discoverer]
56. > Jayden Kaio Rivers
57.  
58. Use CVE-2020-8514.