CVE-2019-25046

MEDIUM

Cerberus FTP Server <10.0.19, <11.0.4 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25046. PoCs published by Mohammad Hossein Kaviyany.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Cerberus FTP Server by uploading an SVG file with malicious JavaScript in the onload attribute. The payload is delivered via a multipart/form-data POST request to the /file/upload endpoint.

Description

The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11.x before 11.0.4 allows XSS via an SVG document.

Exploits (1)

exploitdb WORKING POC

by Mohammad Hossein Kaviyany · textwebappsmultiple

https://www.exploit-db.com/exploits/49981

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Cerberus FTP Server by uploading an SVG file with malicious JavaScript in the onload attribute. The payload is delivered via a multipart/form-data POST request to the /file/upload endpoint.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Cerberus FTP Server versions 11.0 prior to 11.0.4, 10.0 prior to 10.0.19, and 9.0 and earlier

Auth required

Prerequisites: Access to the Cerberus FTP web interface · Valid session cookie (cftpSID) · CSRF token

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.cerberusftp.com/products/releasenotes/

Mitigation, Vendor Advisory x_refsource_misc

https://www.cerberusftp.com/xss-vulnerability-when-previewing-svg-content/

Scores

CVSS v3 6.1

EPSS 0.0177

EPSS Percentile 75.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

cerberusftp/ftp_server < 10.0.19

Published Jun 10, 2021

Tracked Since Feb 18, 2026