Nv1T

**Name of the Vulnerable Software and Affected Versions** MELAG FTP Server version 2.2.0.4 **Description** A user enumeration issue allows an attacker to identify valid FTP usernames. **Recommendations** For MELAG FTP Server version 2.2.0.4, consider restricting access to the FTP server until a patch is available. As a temporary workaround, limit the information disclosed by the server in response to invalid login attempts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MELAG FTP Server version 2.2.0.4 **Description** The issue allows remote attackers to abuse misconfigurations or vulnerabilities with administrative access over the entire host system when MELAG FTP Server is installed as a Windows service and run as the SYSTEM user. **Recommendations** For MELAG FTP Server version 2.2.0.4, consider running the service under a less privileged user account to minimize the risk of exploitation. Additionally, review and rectify any misconfigurations to prevent abuse of vulnerabilities. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MELAG FTP Server version 2.2.0.4 **Description** The issue allows an attacker to use the CWD command to break out of the FTP server's root directory and operate on the entire operating system. The access restrictions of the user running the FTP server apply. **Recommendations** For MELAG FTP Server version 2.2.0.4, consider restricting access to the CWD command as a temporary workaround until a patch is available. Additionally, ensure that the FTP server is run with the least privileges necessary to minimize the impact of a potential exploit. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MELAG FTP Server version 2.2.0.4 **Description** The issue concerns weak access control permissions that allow the "Everyone" group to read the local FTP configuration file. This file contains unencrypted passwords of all FTP users, among other information. **Recommendations** For MELAG FTP Server version 2.2.0.4, consider restricting access to the local FTP configuration file to prevent unauthorized reading of sensitive information, including unencrypted passwords, until a patch or fix is available. As a temporary workaround, restrict the "Everyone" group's permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MELAG FTP Server version 2.2.0.4 **Description** The authentication checks of the MELAG FTP Server are incomplete, allowing a remote attacker to access local files by using a valid username. **Recommendations** For version 2.2.0.4, consider restricting access to the FTP server until a patch is available, and ensure that all usernames and passwords are securely managed to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MELAG FTP Server version 2.2.0.4 **Description** The issue concerns the storage of unencrypted passwords of FTP users in a local configuration file. **Recommendations** For MELAG FTP Server version 2.2.0.4, consider updating the configuration to encrypt stored passwords or restrict access to the configuration file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.