Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XWftpserver Wing Ftp Server
APPWftpserver6.3.8
Related vulnerabilities
RCE w Wing FTP Server — wstrzyknięcie kodu Lua przez bajt NULL
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session seri...
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potential...
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vul...
Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HT...