CVE-2024-4040#

Statement on CVE-2024-4040 CrushFTP Zero-day #

May 10, 2024

Information #

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Severity #

Low

Response #

Melissa Data Corporation (“Melissa”) was not impacted by the CrushFTP vulnerability as we do not utilize the affected version of CrushFTP for any Melissa commercial web services or products.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.

If you have any additional questions, please contact Melissa’s Compliance department at Compliance@melissa.com.

CVE-2024-4040

Contents

CVE-2024-4040#

Statement on CVE-2024-4040 CrushFTP Zero-day#

Information#

Severity#

Response#

Statement on CVE-2024-4040 CrushFTP Zero-day #

Information #

Severity #

Response #