Search criteria
48 vulnerabilities found for wing_ftp_server by wftpserver
FKIE_CVE-2025-47812
Vulnerability from fkie_nvd - Published: 2025-07-10 17:15 - Updated: 2025-11-05 19:26
Severity ?
Summary
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"cisaActionDue": "2025-08-04",
"cisaExploitAdd": "2025-07-14",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF9E83-291C-40B0-AE69-34C9B59A5D03",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle \u0027\\0\u0027 bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts."
},
{
"lang": "es",
"value": "En Wing FTP Server anterior a la versi\u00f3n 7.4.4, las interfaces web de usuario y administrador gestionan incorrectamente los bytes \u0027\\0\u0027, lo que permite la inyecci\u00f3n de c\u00f3digo Lua arbitrario en los archivos de sesi\u00f3n del usuario. Esto puede usarse para ejecutar comandos de sistema arbitrarios con los privilegios del servicio FTP (root o SYSTEM por defecto). Por lo tanto, se trata de una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo que garantiza la vulneraci\u00f3n total del servidor. Esto tambi\u00e9n es explotable mediante cuentas FTP an\u00f3nimas."
}
],
"id": "CVE-2025-47812",
"lastModified": "2025-11-05T19:26:31.650",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "cve@mitre.org",
"type": "Secondary"
}
]
},
"published": "2025-07-10T17:15:47.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.wftpserver.com"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-158"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-47813
Vulnerability from fkie_nvd - Published: 2025-07-10 17:15 - Updated: 2025-07-17 13:17
Severity ?
Summary
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.wftpserver.com | Broken Link | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF9E83-291C-40B0-AE69-34C9B59A5D03",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie."
},
{
"lang": "es",
"value": "loginok.html en Wing FTP Server anterior a 7.4.4 revela la ruta de instalaci\u00f3n local completa de la aplicaci\u00f3n cuando se utiliza un valor largo en la cookie UID."
}
],
"id": "CVE-2025-47813",
"lastModified": "2025-07-17T13:17:06.690",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
}
]
},
"published": "2025-07-10T17:15:47.403",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://www.wftpserver.com"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-27889
Vulnerability from fkie_nvd - Published: 2025-07-10 17:15 - Updated: 2025-07-17 13:31
Severity ?
3.4 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.wftpserver.com/wftpserver.htm | Broken Link | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF9E83-291C-40B0-AE69-34C9B59A5D03",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker."
},
{
"lang": "es",
"value": "Wing FTP Server anterior a la versi\u00f3n 7.4.4 no valida ni desinfecta correctamente el par\u00e1metro URL del endpoint downloadpass.html, lo que permite la inyecci\u00f3n de un enlace arbitrario. Si un usuario hace clic en un enlace manipulado, se revela una contrase\u00f1a en texto plano al atacante."
}
],
"id": "CVE-2025-27889",
"lastModified": "2025-07-17T13:31:12.423",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-10T17:15:46.683",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://www.wftpserver.com/wftpserver.htm"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-15"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-47811
Vulnerability from fkie_nvd - Published: 2025-07-10 17:15 - Updated: 2025-07-17 13:18
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Summary
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.wftpserver.com | Broken Link | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF9E83-291C-40B0-AE69-34C9B59A5D03",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior \"fine to keep.\""
},
{
"lang": "es",
"value": "En Wing FTP Server hasta la versi\u00f3n 7.4.4, la interfaz web administrativa (que escucha por defecto en el puerto 5466) se ejecuta como root o SYSTEM por defecto. La propia aplicaci\u00f3n web ofrece varias formas leg\u00edtimas de ejecutar comandos arbitrarios del sistema (por ejemplo, a trav\u00e9s de la consola web o el programador de tareas), y estos se ejecutan autom\u00e1ticamente con el m\u00e1ximo privilegio posible. Dado que los usuarios administrativos de la interfaz web no son necesariamente administradores del sistema, se podr\u00eda argumentar que se trata de una escalada de privilegios. (Si un atacante no tiene acceso a un rol de aplicaci\u00f3n privilegiado, se puede aprovechar la vulnerabilidad CVE-2025-47812). NOTA: Seg\u00fan se informa, el proveedor considera que este comportamiento es aceptable."
}
],
"id": "CVE-2025-47811",
"lastModified": "2025-07-17T13:18:45.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-10T17:15:46.933",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://www.wftpserver.com"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-5196
Vulnerability from fkie_nvd - Published: 2025-05-26 14:15 - Updated: 2025-07-02 17:42
Severity ?
Summary
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer."
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt | Exploit | |
| cna@vuldb.com | https://vuldb.com/?ctiid.310279 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.310279 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.584253 | Exploit, VDB Entry | |
| cna@vuldb.com | https://www.wftpserver.com/serverhistory.htm | Broken Link | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt | Exploit |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF9E83-291C-40B0-AE69-34C9B59A5D03",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: \"[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer.\""
},
{
"lang": "es",
"value": "Se ha detectado una vulnerabilidad en Wing FTP Server (hasta la versi\u00f3n 7.4.3), clasificada como cr\u00edtica. Esta vulnerabilidad afecta a una funcionalidad desconocida del componente Lua Admin Console. La manipulaci\u00f3n provoca la ejecuci\u00f3n con privilegios innecesarios. El ataque puede ejecutarse en remoto. Es un ataque de complejidad bastante alta. Parece dif\u00edcil de explotar. Actualizar a la versi\u00f3n 7.4.4 puede solucionar este problema. Se recomienda actualizar el componente afectado. El proveedor explica: \u00abNo la consideramos una vulnerabilidad de seguridad, ya que el administrador del sistema en WingFTP tiene permisos completos [...], pero se puede sugerir al usuario que ejecute el servicio WingFTP como usuario normal en lugar de como usuario ra\u00edz del sistema; ser\u00e1 m\u00e1s seguro\u00bb."
}
],
"id": "CVE-2025-5196",
"lastModified": "2025-07-02T17:42:07.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "MULTIPLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:M/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.2,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "cna@vuldb.com",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2025-05-26T14:15:20.210",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit"
],
"url": "https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.310279"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.310279"
},
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.584253"
},
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-250"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-37878
Vulnerability from fkie_nvd - Published: 2023-09-12 09:15 - Updated: 2024-11-21 08:12
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
References
| URL | Tags | ||
|---|---|---|---|
| vulnerability@ncsc.ch | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52C1EF85-3469-4400-96E5-6152EBD0ED1D",
"versionEndIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
},
{
"lang": "es",
"value": "Los permisos predeterminados inseguros en Wing FTP Server (Admin Web Client) permiten la escalada de privilegios. Este problema afecta al servidor FTP de Wing: \u0026lt;= 7.2.0."
}
],
"id": "CVE-2023-37878",
"lastModified": "2024-11-21T08:12:23.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.2,
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T09:15:08.223",
"references": [
{
"source": "vulnerability@ncsc.ch",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"sourceIdentifier": "vulnerability@ncsc.ch",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-37881
Vulnerability from fkie_nvd - Published: 2023-09-12 09:15 - Updated: 2024-11-21 08:12
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
References
| URL | Tags | ||
|---|---|---|---|
| vulnerability@ncsc.ch | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52C1EF85-3469-4400-96E5-6152EBD0ED1D",
"versionEndIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
},
{
"lang": "es",
"value": "El control de acceso d\u00e9bil en Wing FTP Server (Admin Web Client) permite la escalada de privilegios. Este problema afecta al servidor FTP de Wing: \u0026lt;= 7.2.0."
}
],
"id": "CVE-2023-37881",
"lastModified": "2024-11-21T08:12:23.423",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T09:15:08.397",
"references": [
{
"source": "vulnerability@ncsc.ch",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"sourceIdentifier": "vulnerability@ncsc.ch",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-37879
Vulnerability from fkie_nvd - Published: 2023-09-12 09:15 - Updated: 2024-11-21 08:12
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.
References
| URL | Tags | ||
|---|---|---|---|
| vulnerability@ncsc.ch | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52C1EF85-3469-4400-96E5-6152EBD0ED1D",
"versionEndIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
},
{
"lang": "es",
"value": "El almacenamiento inseguro de informaci\u00f3n sensible en Wing FTP Server (User Web Client) permite la obtenci\u00f3n de informaci\u00f3n. Este problema afecta al servidor FTP de Wing: \u0026lt;= 7.2.0."
}
],
"id": "CVE-2023-37879",
"lastModified": "2024-11-21T08:12:23.287",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T09:15:08.313",
"references": [
{
"source": "vulnerability@ncsc.ch",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"sourceIdentifier": "vulnerability@ncsc.ch",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-37875
Vulnerability from fkie_nvd - Published: 2023-09-12 09:15 - Updated: 2024-11-21 08:12
Severity ?
3.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52C1EF85-3469-4400-96E5-6152EBD0ED1D",
"versionEndIncluding": "7.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
},
{
"lang": "es",
"value": "La codificaci\u00f3n incorrecta o el escape de salida en Wing FTP Server (User Web Client) permite Cross-Site Scripting (XSS). Este problema afecta al Servidor FTP de Wing: \u0026lt;= 7.2.0."
}
],
"id": "CVE-2023-37875",
"lastModified": "2024-11-21T08:12:22.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 1.4,
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T09:15:07.807",
"references": [
{
"source": "vulnerability@ncsc.ch",
"tags": [
"Release Notes"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"sourceIdentifier": "vulnerability@ncsc.ch",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "vulnerability@ncsc.ch",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-27735
Vulnerability from fkie_nvd - Published: 2021-01-26 18:15 - Updated: 2024-11-21 05:21
Severity ?
Summary
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wftpserver.com/serverhistory.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wftpserver | wing_ftp_server | 6.4.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:6.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "45AAB65F-5C41-43CB-9813-4C589F2FB3CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user\u0027s browser."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema de tipo XSS en Wing FTP versi\u00f3n 6.4.4.\u0026#xa0;Un elemento IFRAME arbitrario puede ser incluido en las p\u00e1ginas de ayuda por medio de un enlace dise\u00f1ado, conllevando a una ejecuci\u00f3n de HTML y JavaScript arbitrario (en espacio aislado) en el navegador del usuario"
}
],
"id": "CVE-2020-27735",
"lastModified": "2024-11-21T05:21:43.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-26T18:15:46.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-27889 (GCVE-0-2025-27889)
Vulnerability from cvelistv5 – Published: 2025-07-10 00:00 – Updated: 2025-07-10 18:04
VLAI?
Summary
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
Severity ?
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , < 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27889",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T18:04:42.838632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T18:04:56.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThan": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15 External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T16:55:16.846Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com/wftpserver.htm"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-27889",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-03-10T00:00:00.000Z",
"dateUpdated": "2025-07-10T18:04:56.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47812 (GCVE-0-2025-47812)
Vulnerability from cvelistv5 – Published: 2025-07-10 00:00 – Updated: 2025-10-21 22:45
VLAI?
Summary
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Severity ?
10 (Critical)
CWE
- CWE-158 - Improper Neutralization of Null Byte or NUL Character
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , < 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47812",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T03:55:37.528015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-07-14",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:45:22.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-14T00:00:00+00:00",
"value": "CVE-2025-47812 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThan": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle \u0027\\0\u0027 bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T17:33:16.737Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47812",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-10-21T22:45:22.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47811 (GCVE-0-2025-47811)
Vulnerability from cvelistv5 – Published: 2025-07-10 00:00 – Updated: 2025-07-15 13:44 Disputed
VLAI?
Summary
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
Severity ?
4.1 (Medium)
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , ≤ 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:52.927625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:44:06.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThanOrEqual": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior \"fine to keep.\""
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T16:39:24.506Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"tags": [
"disputed"
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47811",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-07-15T13:44:06.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47813 (GCVE-0-2025-47813)
Vulnerability from cvelistv5 – Published: 2025-07-10 00:00 – Updated: 2025-07-10 18:17
VLAI?
Summary
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
Severity ?
4.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , < 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47813",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T18:17:34.777934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T18:17:47.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThan": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T16:45:01.425Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47813",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-07-10T18:17:47.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5196 (GCVE-0-2025-5196)
Vulnerability from cvelistv5 – Published: 2025-05-26 13:31 – Updated: 2025-05-28 17:35
VLAI?
Title
Wing FTP Server Lua Admin Console unnecessary privileges
Summary
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer."
Severity ?
6.6 (Medium)
6.6 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing | FTP Server |
Affected:
7.4.0
Affected: 7.4.1 Affected: 7.4.2 Affected: 7.4.3 |
Credits
nouvexr (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5196",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:18:05.028886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:35:14.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Lua Admin Console"
],
"product": "FTP Server",
"vendor": "Wing",
"versions": [
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "7.4.1"
},
{
"status": "affected",
"version": "7.4.2"
},
{
"status": "affected",
"version": "7.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nouvexr (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: \"[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer.\""
},
{
"lang": "de",
"value": "In Wing FTP Server bis 7.4.3 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Komponente Lua Admin Console. Mit der Manipulation mit unbekannten Daten kann eine execution with unnecessary privileges-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Ein Aktualisieren auf die Version 7.4.4 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.8,
"vectorString": "AV:N/AC:H/Au:M/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T13:31:05.016Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-310279 | Wing FTP Server Lua Admin Console unnecessary privileges",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.310279"
},
{
"name": "VDB-310279 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.310279"
},
{
"name": "Submit #584253 | wftpserver Wing FTP Server 7.4.4 Remote Code Execution via Lua Admin Console",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.584253"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt"
},
{
"tags": [
"patch"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-26T10:25:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wing FTP Server Lua Admin Console unnecessary privileges"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5196",
"datePublished": "2025-05-26T13:31:05.016Z",
"dateReserved": "2025-05-26T08:20:20.632Z",
"dateUpdated": "2025-05-28T17:35:14.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37875 (GCVE-0-2023-37875)
Vulnerability from cvelistv5 – Published: 2023-09-12 08:17 – Updated: 2024-09-24 20:36
VLAI?
Title
Cross-Site Scripting Vulnerability in Wing FTP Server <= 7.2.0
Summary
Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:33:43.202638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:36:33.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:17:22.310Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting Vulnerability in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37875",
"datePublished": "2023-09-12T08:17:22.310Z",
"dateReserved": "2023-07-10T12:59:24.028Z",
"dateUpdated": "2024-09-24T20:36:33.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37878 (GCVE-0-2023-37878)
Vulnerability from cvelistv5 – Published: 2023-09-12 08:16 – Updated: 2024-09-26 14:13
VLAI?
Title
Insecure Default Permissions in Wing FTP Server <= 7.2.0
Summary
Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
6.1 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:13:39.674850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:13:48.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:16:36.910Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure Default Permissions in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37878",
"datePublished": "2023-09-12T08:16:36.910Z",
"dateReserved": "2023-07-10T12:59:24.029Z",
"dateUpdated": "2024-09-26T14:13:48.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37879 (GCVE-0-2023-37879)
Vulnerability from cvelistv5 – Published: 2023-09-12 08:15 – Updated: 2024-09-24 20:47
VLAI?
Title
Exposed Session Variable in Wing FTP Server <= 7.2.0
Summary
Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
6.5 (Medium)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:33:48.659521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:47:19.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-410",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-410 Information Elicitation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:15:31.668Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Exposed Session Variable in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37879",
"datePublished": "2023-09-12T08:15:31.668Z",
"dateReserved": "2023-07-10T12:59:24.029Z",
"dateUpdated": "2024-09-24T20:47:19.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37881 (GCVE-0-2023-37881)
Vulnerability from cvelistv5 – Published: 2023-09-12 08:14 – Updated: 2024-09-25 15:24
VLAI?
Title
Weak Access Control between Domains in Wing FTP Server <= 7.2.0
Summary
Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:02:16.143074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:24:43.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:14:20.704Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Weak Access Control between Domains in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37881",
"datePublished": "2023-09-12T08:14:20.704Z",
"dateReserved": "2023-07-10T12:59:24.029Z",
"dateUpdated": "2024-09-25T15:24:43.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27735 (GCVE-0-2020-27735)
Vulnerability from cvelistv5 – Published: 2021-01-20 22:56 – Updated: 2024-08-04 16:18
VLAI?
Summary
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user\u0027s browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T23:10:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27735",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user\u0027s browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wftpserver.com/serverhistory.htm",
"refsource": "MISC",
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"name": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html",
"refsource": "MISC",
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27735",
"datePublished": "2021-01-20T22:56:37",
"dateReserved": "2020-10-26T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27889 (GCVE-0-2025-27889)
Vulnerability from nvd – Published: 2025-07-10 00:00 – Updated: 2025-07-10 18:04
VLAI?
Summary
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
Severity ?
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , < 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27889",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T18:04:42.838632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T18:04:56.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThan": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15 External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T16:55:16.846Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com/wftpserver.htm"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-27889",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-03-10T00:00:00.000Z",
"dateUpdated": "2025-07-10T18:04:56.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47812 (GCVE-0-2025-47812)
Vulnerability from nvd – Published: 2025-07-10 00:00 – Updated: 2025-10-21 22:45
VLAI?
Summary
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.
Severity ?
10 (Critical)
CWE
- CWE-158 - Improper Neutralization of Null Byte or NUL Character
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , < 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47812",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T03:55:37.528015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-07-14",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:45:22.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-14T00:00:00+00:00",
"value": "CVE-2025-47812 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThan": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle \u0027\\0\u0027 bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T17:33:16.737Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47812",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-10-21T22:45:22.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47811 (GCVE-0-2025-47811)
Vulnerability from nvd – Published: 2025-07-10 00:00 – Updated: 2025-07-15 13:44 Disputed
VLAI?
Summary
In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep."
Severity ?
4.1 (Medium)
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , ≤ 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:52.927625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:44:06.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThanOrEqual": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior \"fine to keep.\""
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T16:39:24.506Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
}
],
"tags": [
"disputed"
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47811",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-07-15T13:44:06.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47813 (GCVE-0-2025-47813)
Vulnerability from nvd – Published: 2025-07-10 00:00 – Updated: 2025-07-10 18:17
VLAI?
Summary
loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie.
Severity ?
4.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wftpserver | Wing FTP Server |
Affected:
0 , < 7.4.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47813",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T18:17:34.777934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T18:17:47.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wing FTP Server",
"vendor": "wftpserver",
"versions": [
{
"lessThan": "7.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T16:45:01.425Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.wftpserver.com"
},
{
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/"
},
{
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-47813",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2025-05-10T00:00:00.000Z",
"dateUpdated": "2025-07-10T18:17:47.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5196 (GCVE-0-2025-5196)
Vulnerability from nvd – Published: 2025-05-26 13:31 – Updated: 2025-05-28 17:35
VLAI?
Title
Wing FTP Server Lua Admin Console unnecessary privileges
Summary
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer."
Severity ?
6.6 (Medium)
6.6 (Medium)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing | FTP Server |
Affected:
7.4.0
Affected: 7.4.1 Affected: 7.4.2 Affected: 7.4.3 |
Credits
nouvexr (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5196",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:18:05.028886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:35:14.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Lua Admin Console"
],
"product": "FTP Server",
"vendor": "Wing",
"versions": [
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "7.4.1"
},
{
"status": "affected",
"version": "7.4.2"
},
{
"status": "affected",
"version": "7.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nouvexr (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: \"[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer.\""
},
{
"lang": "de",
"value": "In Wing FTP Server bis 7.4.3 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Komponente Lua Admin Console. Mit der Manipulation mit unbekannten Daten kann eine execution with unnecessary privileges-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Ein Aktualisieren auf die Version 7.4.4 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.8,
"vectorString": "AV:N/AC:H/Au:M/C:C/I:C/A:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-26T13:31:05.016Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-310279 | Wing FTP Server Lua Admin Console unnecessary privileges",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.310279"
},
{
"name": "VDB-310279 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.310279"
},
{
"name": "Submit #584253 | wftpserver Wing FTP Server 7.4.4 Remote Code Execution via Lua Admin Console",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.584253"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt"
},
{
"tags": [
"patch"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-26T10:25:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wing FTP Server Lua Admin Console unnecessary privileges"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5196",
"datePublished": "2025-05-26T13:31:05.016Z",
"dateReserved": "2025-05-26T08:20:20.632Z",
"dateUpdated": "2025-05-28T17:35:14.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37875 (GCVE-0-2023-37875)
Vulnerability from nvd – Published: 2023-09-12 08:17 – Updated: 2024-09-24 20:36
VLAI?
Title
Cross-Site Scripting Vulnerability in Wing FTP Server <= 7.2.0
Summary
Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:33:43.202638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:36:33.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:17:22.310Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting Vulnerability in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37875",
"datePublished": "2023-09-12T08:17:22.310Z",
"dateReserved": "2023-07-10T12:59:24.028Z",
"dateUpdated": "2024-09-24T20:36:33.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37878 (GCVE-0-2023-37878)
Vulnerability from nvd – Published: 2023-09-12 08:16 – Updated: 2024-09-26 14:13
VLAI?
Title
Insecure Default Permissions in Wing FTP Server <= 7.2.0
Summary
Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
6.1 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:13:39.674850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:13:48.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:16:36.910Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure Default Permissions in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37878",
"datePublished": "2023-09-12T08:16:36.910Z",
"dateReserved": "2023-07-10T12:59:24.029Z",
"dateUpdated": "2024-09-26T14:13:48.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37879 (GCVE-0-2023-37879)
Vulnerability from nvd – Published: 2023-09-12 08:15 – Updated: 2024-09-24 20:47
VLAI?
Title
Exposed Session Variable in Wing FTP Server <= 7.2.0
Summary
Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
6.5 (Medium)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:33:48.659521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:47:19.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-410",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-410 Information Elicitation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:15:31.668Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Exposed Session Variable in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37879",
"datePublished": "2023-09-12T08:15:31.668Z",
"dateReserved": "2023-07-10T12:59:24.029Z",
"dateUpdated": "2024-09-24T20:47:19.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37881 (GCVE-0-2023-37881)
Vulnerability from nvd – Published: 2023-09-12 08:14 – Updated: 2024-09-25 15:24
VLAI?
Title
Weak Access Control between Domains in Wing FTP Server <= 7.2.0
Summary
Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wing FTP Server | Wing FTP Server |
Affected:
<= 7.2.0
|
Credits
Thomas Felder
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:02:16.143074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:24:43.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Wing FTP Server",
"vendor": "Wing FTP Server",
"versions": [
{
"status": "affected",
"version": "\u003c= 7.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Felder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.\u003cp\u003eThis issue affects Wing FTP Server: \u0026lt;= 7.2.0.\u003c/p\u003e"
}
],
"value": "Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T08:14:20.704Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Weak Access Control between Domains in Wing FTP Server \u003c= 7.2.0",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-37881",
"datePublished": "2023-09-12T08:14:20.704Z",
"dateReserved": "2023-07-10T12:59:24.029Z",
"dateUpdated": "2024-09-25T15:24:43.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27735 (GCVE-0-2020-27735)
Vulnerability from nvd – Published: 2021-01-20 22:56 – Updated: 2024-08-04 16:18
VLAI?
Summary
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user\u0027s browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T23:10:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27735",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user\u0027s browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wftpserver.com/serverhistory.htm",
"refsource": "MISC",
"url": "https://www.wftpserver.com/serverhistory.htm"
},
{
"name": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html",
"refsource": "MISC",
"url": "https://wshenk.blogspot.com/2021/01/xss-in-wing-ftps-web-interface-cve-2020.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27735",
"datePublished": "2021-01-20T22:56:37",
"dateReserved": "2020-10-26T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}