To enhance security, Cerberus FTP Server requires the inclusion of domains for password reset links and public share links in the "allow list."
In versions 11.0 and 10.0.17, a security vulnerability related to HTTP host header attacks in password reset functionality was addressed. This vulnerability could potentially lead to the exploitation of malicious password reset emails. As a preventive measure, administrators are now required to configure an "allow list" comprising acceptable domains, host names, or IP addresses. Only entries on this list will be permitted for password reset operations or the creation of public shares.
Here's how to add a domain to the "allow list":
Open the Server Manager.
Navigate to the Protocols page.
Select the HTTP and HTTPS tab.
Add a domain, host name, or IP address to the comma-separated list provided for the Client Domain Allow List.
Save your settings by clicking the Save button in the Server Manager.