CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3769
https://notcve.org/view.php?id=CVE-2007-3769
Cross-site scripting (XSS) vulnerability in the mirrored server management interface in SurgeFTP 2.3a1 allows user-assisted, remote FTP servers to inject arbitrary web script or HTML via a malformed response without a status code, which is reflected to the user in the resulting error message. NOTE: this can be leveraged for root access via a sequence of steps involving web script that creates a new FTP user account. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la interfaz de administración de servidor espejo en SurgeFTP 2.3a1 permite a servidores FTP remotos, con la intervención del usuario, inyectar secuencias de comandos web o HTML de su elección mediante una respuesta mal formada sin un código de estado, lo cual se refleja al usuario en el mensaje de error resultante. NOTA: esto puede ser aprovechado para obtener acceso como root mediante una secuencia de pasos involucrando secuencias de comandos web que crean una nueva cuenta de usuario FTP. • http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070710/98374694/attachment-0031.txt http://marc.info/?l=full-disclosure&m=118409539009277&w=2 http://osvdb.org/37911 http://secunia.com/advisories/26061 http://www.vupen.com/english/advisories/2007/2528 https://exchange.xforce.ibmcloud.com/vulnerabilities/35378 •
CVSS: 5.0EPSS: 1%CPEs: 2EXPL: 0CVE-2005-1034
https://notcve.org/view.php?id=CVE-2005-1034
SurgeFTP 2.2m1 allows remote attackers to cause a denial of service (application hang) via the LEAK command. • http://marc.info/?l=bugtraq&m=111289226204780&w=2 http://secunia.com/advisories/14888 http://securitytracker.com/id?1013664 http://www.security.org.sg/vuln/surgeftp22m1.html http://www.securityfocus.com/bid/13054 https://exchange.xforce.ibmcloud.com/vulnerabilities/20011 •
CVSS: 5.0EPSS: 1%CPEs: 11EXPL: 2CVE-2004-2318
https://notcve.org/view.php?id=CVE-2004-2318
The administrative interface (surgeftpmgr.cgi) for SurgeFTP Server 1.0b through 2.2k1 allows remote attackers to cause a temporary denial of service (crash) via requests with two percent (%) signs in the CMD parameter. • http://members.lycos.co.uk/r34ct/main/surge_FTP/surge-ftp.txt http://securitytracker.com/id?1008898 http://www.osvdb.org/3788 http://www.secunia.com/advisories/10758 http://www.securityfocus.com/bid/9554 https://exchange.xforce.ibmcloud.com/vulnerabilities/15001 •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 2CVE-2001-0696
https://notcve.org/view.php?id=CVE-2001-0696
NetWin SurgeFTP 2.0a and 1.0b allows a remote attacker to cause a denial of service (crash) via a CD command to a directory with an MS-DOS device name such as con. • http://netwinsite.com/surgeftp/manual/updates.htm http://www.securityfocus.com/archive/1/191916 http://www.securityfocus.com/bid/2891 https://exchange.xforce.ibmcloud.com/vulnerabilities/6712 •
CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 3CVE-2001-0697 – Netwin SurgeFTP 1.0b - Denial of Service
https://notcve.org/view.php?id=CVE-2001-0697
NetWin SurgeFTP prior to 1.1h allows a remote attacker to cause a denial of service (crash) via an 'ls ..' command. • https://www.exploit-db.com/exploits/20659 http://netwinsite.com/surgeftp/manual/updates.htm http://www.secadministrator.com/Articles/Index.cfm?ArticleID=20200 http://www.securityfocus.com/archive/1/165816 http://www.securityfocus.com/bid/2442 https://exchange.xforce.ibmcloud.com/vulnerabilities/6168 •