CVE-2020-11702

Name of the Vulnerable Software and Affected Versions ProVide (formerly zFTPServer) versions through 13.1

Description An issue was discovered in the User Web Interface, which has multiple stored and reflected XSS issues. The Collaborate feature is reflected via the filename parameter and stored via the displayname parameter. The Deletemultiple feature is reflected via the files parameter. The Share feature is reflected via the target parameter and stored via the displayname parameter. The Waitedit feature is reflected via the Host header.

Recommendations For ProVide (formerly zFTPServer) versions through 13.1, consider disabling the Collaborate, Deletemultiple, Share, and Waitedit features until a patch is available. Restrict access to the User Web Interface to minimize the risk of exploitation. Avoid using the filename, displayname, files, and target parameters in the affected features until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.