Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Provide Ftp Server Security Vulnerabilities - November

cve
cve

CVE-2020-11701

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. CSRF exists in the User Web Interface, as demonstrated by granting filesystem access to the public for uploading and deleting files and directories.

8.8CVSS

8.6AI Score

0.001EPSS

2020-04-12 03:15 AM
78
cve
cve

CVE-2020-11702

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The User Web Interface has Multiple Stored and Reflected XSS issues. Collaborate is Reflected via the filename parameter. Collaborate is Stored via the displayname parameter. Deletemultiple is Reflected via the files parameter. ...

6.1CVSS

5.9AI Score

0.001EPSS

2020-04-12 03:15 AM
83
cve
cve

CVE-2020-11703

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/GetInheritedProperties allows HTTP Response Splitting via the language parameter.

7.5CVSS

7.5AI Score

0.001EPSS

2020-04-12 03:15 AM
84
cve
cve

CVE-2020-11704

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Web Interface has Multiple Stored and Reflected XSS. GetInheritedProperties is Reflected via the groups parameter. GetUserInfo is Reflected via POST data. SetUserInfo is Stored via the general parameter.

6.1CVSS

6.2AI Score

0.001EPSS

2020-04-12 03:15 AM
80
cve
cve

CVE-2020-11705

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/ImportCertificate allows an attacker to load an arbitrary certificate in .pfx format or overwrite arbitrary files via the fileName parameter.

9.8CVSS

9.3AI Score

0.004EPSS

2020-04-12 03:15 AM
85
cve
cve

CVE-2020-11706

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Interface allows CSRF for actions such as: Change any username and password, admin ones included; Create/Delete users; Enable/Disable Services; Set a rogue update proxy; and Shutdown the server.

8.8CVSS

8.6AI Score

0.001EPSS

2020-04-12 03:15 AM
78
cve
cve

CVE-2020-11707

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox.

8.8CVSS

8.6AI Score

0.001EPSS

2020-04-12 03:15 AM
80
cve
cve

CVE-2020-11708

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. Privilege escalation can occur via the /ajax/SetUserInfo messages parameter because of the EXECUTE() feature, which is for executing programs when certain events are triggered.

9.8CVSS

9.5AI Score

0.002EPSS

2020-04-12 03:15 AM
80