CVE-2025-27889

Low CVSS: 3.4

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

Vendor

Wftpserver

Product

Wing Ftp Server

CWE

CWE-15

Yayın Tarihi

2025-07-10 17:15:46

Güncelleme

2025-07-17 13:31:12

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-15 Wing Ftp Server LOW Wftpserver 2025

Referanslar

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ https://www.wftpserver.com/wftpserver.htm https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

Benzer Kayıtlar

Medium

CVE-2020-37079

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administrat…

High

CVE-2019-25267

Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute…

High

CVE-2020-37032

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authentica…

Critical

CVE-2025-47812

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection o…

Medium

CVE-2025-47813

loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a…

Medium

CVE-2025-47811

In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or S…