CVE-2007-3769

Name of the Vulnerable Software and Affected Versions SurgeFTP version 2.3a1

Description A cross-site scripting (XSS) issue exists in the mirrored server management interface, allowing remote FTP servers to inject arbitrary web script or HTML via a malformed response without a status code. This injected content is reflected to the user in the resulting error message. It is possible to leverage this issue for root access through a sequence of steps involving web script that creates a new FTP user account.

Recommendations For SurgeFTP version 2.3a1, consider disabling the mirrored server management interface until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the management interface to minimize the risk of arbitrary web script or HTML injection.