30 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 https://www.progress.com/ftp-server • CWE-290: Authentication Bypass by Spoofing CWE-304: Missing Critical Step in Authentication •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal.   An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:) This vulnerability allows remote attackers to disclose sensitive information on affected installations of Progress Software WS_FTP. Authentication is required to exploit this vulnerability. The specific flaw exists within the FileHandler module. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of NETWORK SERVICE. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 https://www.progress.com/ftp-server • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface. En las versiones del servidor WS_FTP anteriores a la 8.8.5, se identificaron problemas de Cross-Site Scripting Reflejado en varias entradas proporcionadas por el usuario en la interfaz administrativa del servidor WS_FTP. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-February-2024 https://www.progress.com/ws_ftp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0

In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application. WS_FTP Server en las versiones anteriores a 8.7.6 y 8.8.4, se identificó una falla en la carga de archivos sin restricciones. Un usuario autenticado de Ad Hoc Transfer tiene la capacidad de crear una llamada API que le permite cargar un archivo en una ubicación específica en el sistema operativo subyacente que aloja la aplicación del servidor WS_FTP. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023 https://www.progress.com/ws_ftp • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing. En la versión del servidor WS_FTP anterior a la 8.8.2, un usuario no autenticado podía enumerar archivos en la lista del directorio 'WebServiceHost'. • https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 https://www.progress.com/ws_ftp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •