CVE-2024-11986

9.6

Critical

Published:13 Dec 2024

Last updated:17 Jun 2026

Source:a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

Deferred

Weakness (CWE)

CWE-79Cross-site Scripting (XSS)

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or 'Cross-Site Scripting'.

References

a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

https://crushftp.com/crush11wiki/Wiki.jsp?page=Update