CVE-2020-11704

Name of the Vulnerable Software and Affected Versions ProVide (formerly zFTPServer) versions through 13.1

Description The issue concerns Multiple Stored and Reflected XSS in the Admin Web Interface. Specifically, GetInheritedProperties is reflected via the groups parameter, GetUserInfo is reflected via POST data, and SetUserInfo is stored via the general parameter.

Recommendations For ProVide (formerly zFTPServer) versions through 13.1, consider disabling the GetInheritedProperties, GetUserInfo, and SetUserInfo functions until a patch is available to prevent exploitation of the reflected and stored XSS issues. Restrict access to the Admin Web Interface to minimize the risk of exploitation. Avoid using the groups and general parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.