PT-2017-15109 · Surgeftp · Surgeftp
Published
2017-12-29
·
Updated
2021-09-10
·
CVE-2017-17933
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SurgeFTP version 23f2
Description
The issue concerns the Web Manager interface, specifically the cgi/surgeftpmgr.cgi, which is accessible on TCP port 7021 or 9021. It is susceptible to XSS attacks through the
classid, domainid, or username parameters.Recommendations
For SurgeFTP version 23f2, consider restricting access to the Web Manager interface until a fix is available. As a temporary workaround, avoid using the
classid, domainid, or username parameters in the vulnerable cgi/surgeftpmgr.cgi interface.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surgeftp