CVE-2022-36967 - Multiple Reflected Cross-Site Scripting (XSS) on WS_fTP

1. Vulnerability Properties

Title: Multiple Reflected Cross-Site Scripting (XSS) on WS_fTP
CVE ID: CVE-2022-36967
CVSSv3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vendor: Progress
Products: WS_FTP Server
Advisory Release Date: 08-02-22
Advisory URL: https://labs.integrity.pt/advisories/CVE-2022-36967
Credits: Discovery by Guilherme Santos (rondons) <guilherme.santos[at]devoteam.com> & Caio Farias (g3n3) <caio.farias[at]devoteam.com>

2. Vulnerability Summary

In WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in WS_FTP Servers administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript in a WS_FTP administrators web session which would allow the attacker to execute code within the context of the victim’s browser.

3. Vulnerable Versions

  • < 8.7.3

4. Solution

  • Update to version 8.7.3 or higher

5. Vulnerability Timeline

  • 04/06/22 -Vulnerability reported to Progress via hackerone.
  • 10/06/22 -Vulnerability verified by vendor.
  • 02/08/22 -Vulnerability fixed by vendor and advisory released.

6. References

  • https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36967


© 2022 Integrity Part of Devoteam. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.