CVE-2024-7744

Name of the Vulnerable Software and Affected Versions WS FTP Server versions prior to 8.8.8 (2022.0.8)

Description A vulnerability in the Web Transfer Module of WS FTP Server allows for Path Traversal, enabling file discovery, probing of system files, and user-controlled filename manipulation. An authenticated file download flaw has been identified, where a user can craft an API call to download a file from an arbitrary folder on the drive where the user host's root folder is located, which by default is the C: drive.

Recommendations For WS FTP Server versions prior to 8.8.8 (2022.0.8), update to version 8.8.8 (2022.0.8) or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Transfer Module until a patch is applied. Additionally, restrict the ability for users to craft API calls that allow them to download files from arbitrary folders.