CVE-2023-40045 WS_FTP Server Ad Hoc Transfer Module Reflected Cross-Site Scripting Vulnerability

2023-09-2714:49:45

CWE-79

ProgressSoftware

www.cve.org

ws_ftp server

cross-site scripting

vulnerability

javascript

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

23.6%

JSON

In WS_FTP Server versions prior to 8.7.4 and 8.8.2,

a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server’s Ad Hoc Transfer module. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victims browser.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "modules": [
      "Ad Hoc Transfer Module"
    ],
    "product": "WS_FTP Server",
    "vendor": "Progress Software Corporation",
    "versions": [
      {
        "lessThan": "8.8.2",
        "status": "affected",
        "version": "8.8.0",
        "versionType": "semver"
      },
      {
        "lessThan": "8.7.4",
        "status": "affected",
        "version": "8.7.0",
        "versionType": "semver"
      }
    ]
  }
]