CVE-2023-40045

WS_FTP Server Ad Hoc Transfer Module Reflected Cross-Site Scripting Vulnerability

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In WS_FTP Server versions prior to 8.7.4 and 8.8.2,

a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victims browser.

En las versiones del servidor WS_FTP anteriores a 8.7.4 y 8.8.2, existe una vulnerabilidad de Cross-Site Scripting (XSS) reflejada en el módulo de transferencia ad hoc del servidor WS_FTP. Un atacante podría aprovechar esta vulnerabilidad para atacar a los usuarios del servidor WS_FTP con un payload especializado que resulta en la ejecución de JavaScript malicioso dentro del contexto del navegador de la víctima.

*Credits: Cristian Mocanu - Deloitte

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-08 CVE Reserved
2023-09-27 CVE Published
2024-08-02 CVE Updated
2024-08-27 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

CAPEC-63: Cross-Site Scripting (XSS)

References (2)

URL	Tag	Source
https://www.progress.com/ws_ftp	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023	2023-09-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Progress Search vendor "Progress"		Ws Ftp Server Search vendor "Progress" for product "Ws Ftp Server"				< 8.7.4 Search vendor "Progress" for product "Ws Ftp Server" and version " < 8.7.4"		-		Affected
Progress Search vendor "Progress"		Ws Ftp Server Search vendor "Progress" for product "Ws Ftp Server"				>= 8.8 < 8.8.2 Search vendor "Progress" for product "Ws Ftp Server" and version " >= 8.8 < 8.8.2"		-		Affected