CVE-2019-19661 in FTP Server
Summary
by MITRE
A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability CVE-2019-19661 represents a critical cross-site scripting flaw within the web-based file management interface of Rumpus FTP Server version 8.2.9.1. This issue specifically affects the authentication handling mechanisms where user session data is stored in cookies and subsequently reflected back to users without proper sanitization. The vulnerability manifests in the RumpusLoginUserName and snp parameters, which are processed within the web interface and can be manipulated by malicious actors to inject malicious script code. The reflected nature of this vulnerability means that an attacker can craft a malicious URL containing XSS payload that, when clicked by an authenticated user, will execute the script within the user's browser context. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links.
The technical exploitation of this vulnerability requires an attacker to craft a malicious URL that includes script code within the RumpusLoginUserName or snp cookie parameters. When a victim user accesses this maliciously crafted URL while authenticated to the Rumpus FTP server, the server reflects the malicious script code back to the user's browser through the web interface. The reflected payload executes in the context of the victim's session, potentially allowing attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the authenticated user. The cookie-based nature of this vulnerability means that attackers can leverage existing authentication sessions to execute their payloads without needing to authenticate separately. This weakness is particularly dangerous in environments where administrators or authorized users frequently interact with the web interface, as it can lead to complete compromise of the affected system through session hijacking or privilege escalation.
The operational impact of CVE-2019-19661 extends beyond simple script execution, as it can enable attackers to perform sophisticated attacks including session hijacking, data exfiltration, and privilege escalation within the FTP server environment. An attacker who successfully exploits this vulnerability can potentially access sensitive files, modify server configurations, or establish persistent access to the system. The reflected XSS nature makes this vulnerability particularly challenging to defend against since the malicious payload is not stored on the server but rather reflected back to the user's browser upon request. This characteristic aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as attackers can leverage the reflected script execution to run arbitrary commands. Organizations using Rumpus FTP Server 8.2.9.1 are at significant risk of unauthorized access and data compromise, particularly in environments where the web interface is exposed to untrusted networks.
Mitigation strategies for CVE-2019-19661 should focus on both immediate patching and defensive measures. The most effective solution is to upgrade to a patched version of Rumpus FTP Server that addresses this specific vulnerability in the cookie handling and input validation processes. Organizations should implement proper input sanitization and output encoding for all cookie parameters, particularly those related to user authentication and session management. The implementation of Content Security Policy headers can provide additional protection against script execution, while proper cookie security attributes such as HttpOnly, Secure, and SameSite flags should be enforced to prevent cookie-based attacks. Network segmentation and access controls should be implemented to limit exposure of the web interface to trusted networks only, reducing the attack surface. Additionally, regular security monitoring and log analysis should be implemented to detect potential exploitation attempts, with specific attention to unusual cookie parameter values and unauthorized access patterns. Organizations should also consider implementing web application firewalls to detect and block malicious payloads targeting this vulnerability, as well as conducting regular security assessments to identify similar issues in other web applications within their infrastructure.