CVE-2022-2560

Name of the Vulnerable Software and Affected Versions EnterpriseDT CompleteFTP version 22.1.0 Server

Description This issue allows remote attackers to delete arbitrary files on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the HttpFile class, resulting from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this issue to delete files in the context of SYSTEM.

Recommendations For EnterpriseDT CompleteFTP version 22.1.0 Server, as a temporary workaround, consider restricting access to the HttpFile class until a patch is available. Avoid using user-supplied paths in file operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.