CVE-2022-27665

Name of the Vulnerable Software and Affected Versions Progress Ipswitch WS FTP Server version 8.6.0

Description Reflected XSS exists due to improper handling of user-provided input, allowing execution of malicious code and commands on the client. This can be achieved by inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, enabling client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the "ThinClient/WtmApiService.asmx/GetFileSubTree" URI.

Recommendations For version 8.6.0, consider disabling the use of AngularJS sandbox escape expressions until a patch is available. Restrict access to the subFolderPath parameter in the "ThinClient/WtmApiService.asmx/GetFileSubTree" URI to minimize the risk of exploitation. Avoid using the subdirectory searchbar or Add folder filename boxes with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.