CrushFTP | Breaking Cybersecurity News | The Hacker News

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP  said  in an advisory released Friday. "This has been patched in v11.1.0." That said, customers who are operating their CrushFTP instances within a  DMZ  ( demilitarized zone ) restricted environment are protected against the attacks. Simon Garrelou of Airbus CERT has been credited with discovering and reporting the flaw. It has yet to be assigned a CVE identifier. Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has observed an exploit for the flaw being used in the wild in a "targeted fashion." These intrusions are said to have mainly targeted U.S. entities, with the intelligence gathering activity suspe

The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files. A brief description of the vulnerabilities is as follows - CVE-2023-49103 (CVSS score: 10.0) - Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. CVE-2023-49105 (CVSS score: 9.8) - WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0. CVE-2023-49104 (CVSS score: 9.0) - Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1. "The 'graphapi' app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)," the company  said  of the first flaw. "This information includes all the environment variables of the web server. In containerized deplo