CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9999 – Multi-Factor Authentication Bypass in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-9999
12 Nov 2024 — In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7745 – Multi-Factor Authentication Bypass in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-7745
28 Aug 2024 — In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 • CWE-290: Authentication Bypass by Spoofing CWE-304: Missing Critical Step in Authentication •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7744 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-7744
28 Aug 2024 — In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal. An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:) This vulnerability... • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1474 – WS_FTP Server Reflected Cross-Site Scripting in Administrative Interface
https://notcve.org/view.php?id=CVE-2024-1474
21 Feb 2024 — In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface. En las versiones del servidor WS_FTP anteriores a la 8.8.5, se identificaron problemas de Cross-Site Scripting Reflejado en varias entradas proporcionadas por el usuario en la interfaz administrativa del servidor WS_FTP. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-February-2024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-42659 – WS_FTP Server Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-42659
07 Nov 2023 — In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application. WS_FTP Server en las versiones anteriores a 8.7.6 y 8.8.4, se identificó una falla en la carga de archivos sin restricciones. Un usuario autenticado de Ad Hoc Transfer tiene la capacidad de crear un... • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40049 – WS_FTP Server Information Disclosure via Directory Listing
https://notcve.org/view.php?id=CVE-2023-40049
27 Sep 2023 — In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing. En la versión del servidor WS_FTP anterior a la 8.8.2, un usuario no autenticado podía enumerar archivos en la lista del directorio 'WebServiceHost'. • https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40048 – WS_FTP Server Cross-Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2023-40048
27 Sep 2023 — In WS_FTP Server version prior to 8.8.2, the WS_FTP Server Manager interface was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function. En la versión del servidor WS_FTP anterior a la 8.8.2, a la interfaz del Administrador del servidor WS_FTP le faltaba protección contra Cross-Site Reuqest Forgery (CSRF) en una transacción POST correspondiente a una función administrativa del servidor WS_FTP. • https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40047 – WS_FTP Server Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2023-40047
27 Sep 2023 — In WS_FTP Server version prior to 8.8.2, a stored cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Management module. An attacker with administrative privileges could import a SSL certificate with malicious attributes containing cross-site scripting payloads. Once the cross-site scripting payload is successfully stored, an attacker could leverage this vulnerability to target WS_FTP Server admins with a specialized payload which results in the execution of malicious JavaScript within the co... • https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-40046 – WS_FTP Server SQL Injection via Administrative Interface
https://notcve.org/view.php?id=CVE-2023-40046
27 Sep 2023 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. En las versiones del servidor WS_FTP anteriores a 8.7.4 y 8.8.2, existe una vulnerabilidad de inyección SQL en la interfaz del administrador del servidor WS_FTP. Un atacante puede inferir información sobre la estructura y ... • https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-40045 – WS_FTP Server Ad Hoc Transfer Module Reflected Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2023-40045
27 Sep 2023 — In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victims browser. En las versiones del servidor WS_FTP anteriores a 8.7.4 y 8.8.2, existe una vulnerabilidad de Cross-Site Scripting (XSS) reflejada en el módulo de transfere... • https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •