CVE-2020-11707

Name of the Vulnerable Software and Affected Versions ProVide (formerly zFTPServer) versions through 13.1

Description An issue was discovered where the software does not enforce permission over Windows Symlinks or Junctions. This allows a low-privileged user to craft a Junction Link in a directory they have full control of, breaking out of the sandbox.

Recommendations For ProVide (formerly zFTPServer) versions through 13.1, consider restricting access to Windows Symlinks or Junctions to prevent low-privileged users from crafting malicious links. As a temporary workaround, limit the ability of non-admin users to create Junction Links in directories they control. At the moment, there is no information about a newer version that contains a fix for this vulnerability.