Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XWftpserver Wing Ftp Server
APPWftpserver< 8.1.3
Related vulnerabilities
RCE w Wing FTP Server — wstrzyknięcie kodu Lua przez bajt NULL
Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potential...
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows ...
A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vul...
Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and...