Progress Computer software has released hotfixes for a critical security vulnerability, along with 7 other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface.
Tracked as CVE-2023-40044, the flaw has a CVSS rating of 10., indicating maximum severity. All versions of the application are impacted by the flaw.
“In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote instructions on the fundamental WS_FTP Server operating system,” the firm stated in an advisory.
Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with getting and reporting the vulnerability.
The checklist of remaining flaws, impacting WS_FTP Server variations prior to 8.8.2, is as follows –
- CVE-2023-42657 (CVSS rating: 9.9) – A directory traversal vulnerability that could be exploited to perform file operations.
- CVE-2023-40045 (CVSS score: 8.3) – A reflected cross-website scripting (XSS) vulnerability in the WS_FTP Server’s Advert Hoc Transfer module that could be exploited to execute arbitrary JavaScript in just the context of the victim’s browser.
- CVE-2023-40047 (CVSS rating: 8.3) – A stored cross-internet site scripting (XSS) vulnerability exists in the WS_FTP Server’s Administration module that could be exploited by an attacker with admin privileges to import an SSL certification with malicious characteristics that contains XSS payloads that could then be brought on in victim’s browser.
- CVE-2023-40046 (CVSS rating: 8.2) – An SQL injection vulnerability in the WS_FTP Server manager interface that could be exploited to infer facts saved in the databases and execute SQL statements that change or delete its contents.
- CVE-2023-40048 (CVSS rating: 6.8) – A cross-website request forgery (CSRF) vulnerability in the WS_FTP Server Manager interface.
- CVE-2022-27665 (CVSS rating: 6.1) – A mirrored cross-site scripting (XSS) vulnerability in Development Ipswitch WS_FTP Server 8.6. that can lead to execution of destructive code and instructions on the client.
- CVE-2023-40049 (CVSS rating: 5.3) – An authentication bypass vulnerability that allows people to enumerate data files under the ‘WebServiceHost’ listing listing.
With security flaws in Progress Program turning into an attractive goal for ransomware groups like Cl0p, it can be crucial that end users shift immediately to implement the hottest patches to consist of prospective threats.
Future WEBINARFight AI with AI — Battling Cyber Threats with Future-Gen AI Equipment
Completely ready to tackle new AI-pushed cybersecurity problems? Be part of our insightful webinar with Zscaler to tackle the increasing menace of generative AI in cybersecurity.
Supercharge Your Techniques
The organization, in the in the meantime, is even now grappling with the fallout from the mass hack concentrating on its MOVEit Transfer safe file transfer system considering the fact that May 2023. More than 2,100 businesses and more than 62 million men and women are approximated to have been impacted, in accordance to Emsisoft.
Discovered this article interesting? Abide by us on Twitter and LinkedIn to study more distinctive information we publish.
Some parts of this article are sourced from:
thehackernews.com