20 matches found
CVE-2025-47812
CVE-2025-47812 is a remote code execution vulnerability in Wing FTP Server, affecting versions before 7.4.4. The root cause is improper handling of null bytes ('\0') in user/admin web interfaces, allowing injection of arbitrary Lua code into user session files. The injected code can execute comma...
CVE-2020-8635
CVE-2020-8635 affects Wing FTP Server v6.2.3 on Linux, macOS and Solaris. The root cause is insecure permissions on installation directories and configuration files, enabling local attackers to arbitrarily create FTP users with full privileges and escalate privileges by modifying system files. An...
CVE-2020-8634
CVE-2020-8634 affects Wing FTP Server v6.2.3 on Linux, macOS and Solaris. The HTTP file management interface saves edited files with world-readable and world-writable permissions, enabling a low-privilege user to escalate to root by modifying sensitive system files. The connected data confirms th...
CVE-2020-9470
CVE-2020-9470 affects Wing FTP Server up to version 6.2.5, where insecure permissions on session and session_admin cookies allow a local user to read active sessions and hijack user/admin sessions. This can enable the attacker to execute Lua commands as root within the administration panel, effec...
CVE-2023-37879
CVE-2023-37879 affects Wing FTP Server (User Web Client) up to version 7.2.0, where insecure storage of sensitive information enables information elicitation. Multiple sources confirm the issue as a sensitive-info disclosure via the User Web Client, with impact on confidentiality and no indicatio...
CVE-2025-5196
CVE-2025-5196 affects Wing FTP Server up to 7.4.3, via the Lua Admin Console, granting execution with unnecessary privileges. Exploitation appears remote and authenticated (PoC exists). Upgrade to version 7.4.4 to address the issue; vendor notes recommend running the service as a Normal User for ...
CVE-2025-47813
Technical details for CVE-2025-47813 are not publicly available in the provided connected documents. Monitor for updates. Initial description notes an information disclosure related to UID cookie length, but no technical specifics are provided here.
CVE-2010-2428
CVE-2010-2428 affects Wing FTP Server for Windows 3.5.0 and earlier; the admin_loginok.html page is vulnerable to cross-site scripting via a crafted POST, allowing an authenticated remote attacker to inject arbitrary script/HTML in the user’s browser. Several sources (NVD, OpenVAS, Nessus) corrob...
CVE-2020-27735
Wing FTP 6.4.4 web interface is vulnerable to a Cross‑Site Scripting (XSS) flaw. An arbitrary IFRAME can be injected into help pages via a crafted link, causing sandboxed HTML/JavaScript to execute in the victim’s browser. Affected component: the web interface of Wing FTP Server 6.4.4. Root cause...
CVE-2023-37881
The CVE-2023-37881 entry concerns Wing FTP Server (Admin Web Client), with a root cause described as weak access control that enables privilege escalation. Affected version range is Wing FTP Server
CVE-2023-37875
CVE-2023-37875 affects Wing FTP Server ≤ 7.2.0 via the User Web Client, where improper encoding/escaping of output causes a Cross-Site Scripting (XSS) vulnerability. The issue is documented across multiple sources (NVD, CVE lists) with the root cause described as incorrect output encoding. Exploi...
CVE-2025-47811
Wing FTP Server (versions up to 7.4.4) is affected by CVE-2025-47811: the admin web interface runs as root/SYSTEM by default, and the web app exposes legitimate ways to execute system commands which are executed with the highest privileges. This creates a potential privilege escalation via the we...
CVE-2015-4108
CVE-2015-4108 affects Wing FTP Server up to version 4.4.6. The vulnerability is a set of cross-site request forgery (CSRF) flaws in the admin interface that can hijack administrator authentication for requests to admin_lua_script.html (arbitrary code execution potential) or admin_addadmin.html (a...
CVE-2023-37878
CVE-2023-37878 describes an insecure default permission issue in the Wing FTP Server Admin Web Client that enables privilege escalation on Wing FTP Server versions
CVE-2012-4729
Wing FTP Server prior to 4.1.1 is vulnerable to an authenticated denial-of-service caused by parsing two ZIP commands, leading to daemon crash. Affected: Wing FTP Server versions before 4.1.1. Root cause: vulnerability arises during processing of multiple ZIP commands. Mitigation: upgrade to vers...
CVE-2025-27889
Technical details for CVE-2025-27889 are not provided in the connected documents; the supplied materials focus on CVE-2025-47812 and lack specifics (product/version/impact) for CVE-2025-27889. Monitor for updates.
CVE-2026-44403
Wing FTP Server 8.1.2 is affected: an authenticated remote code execution due to unsafe session serialization that injects Lua via the domain admin mydirectory field, leading to code execution when a poisoned session is loaded with loadfile(). Root cause: unsafe serialization of session values in...
CVE-2020-37032
Wing FTP Server 6.3.8 is affected by a remote code execution flaw in the Lua-based web console. The issue allows authenticated users to send crafted POST requests that trigger operating system commands via os.execute(), enabling arbitrary code execution on the server. Affected component: Lua-base...
CVE-2020-37079
Wing FTP Server prior to version 6.2.7 is affected by a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows an attacker to delete admin users by crafting a malicious HTML page with a hidden form that submits a request without proper authorization. The i...
CVE-2019-25267
Wing FTP Server 6.0.7 is affected by an unquoted service path vulnerability that lets local attackers insert and execute malicious executables with LocalSystem privileges. The issue stems from unquoted binary paths in the service configuration, enabling privilege escalation. Impact is described a...