Progress Software program has unveiled hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server supervisor interface.
Tracked as CVE-2023-40044, the flaw has a CVSS rating of 10., indicating maximum severity. All variations of the software package are impacted by the flaw.
“In WS_FTP Server variations prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Advert Hoc Transfer module to execute distant instructions on the fundamental WS_FTP Server operating system,” the firm said in an advisory.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with getting and reporting the vulnerability.
The checklist of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows –
- CVE-2023-42657 (CVSS rating: 9.9) – A listing traversal vulnerability that could be exploited to perform file functions.
- CVE-2023-40045 (CVSS rating: 8.3) – A reflected cross-website scripting (XSS) vulnerability in the WS_FTP Server’s Advert Hoc Transfer module that could be exploited to execute arbitrary JavaScript in the context of the victim’s browser.
- CVE-2023-40047 (CVSS rating: 8.3) – A stored cross-site scripting (XSS) vulnerability exists in the WS_FTP Server’s Management module that could be exploited by an attacker with admin privileges to import an SSL certificate with destructive characteristics that contains XSS payloads that could then be triggered in victim’s browser.
- CVE-2023-40046 (CVSS score: 8.2) – An SQL injection vulnerability in the WS_FTP Server manager interface that could be exploited to infer data stored in the databases and execute SQL statements that alter or delete its contents.
- CVE-2023-40048 (CVSS rating: 6.8) – A cross-website ask for forgery (CSRF) vulnerability in the WS_FTP Server Manager interface.
- CVE-2022-27665 (CVSS score: 6.1) – A mirrored cross-site scripting (XSS) vulnerability in Progress Ipswitch WS_FTP Server 8.6. that can direct to execution of destructive code and instructions on the shopper.
- CVE-2023-40049 (CVSS rating: 5.3) – An authentication bypass vulnerability that lets buyers to enumerate documents underneath the ‘WebServiceHost’ directory listing.
With security flaws in Progress Program getting to be an beautiful target for ransomware teams like Cl0p, it is really necessary that users transfer promptly to apply the most recent patches to have possible threats.
Upcoming WEBINARFight AI with AI — Battling Cyber Threats with Following-Gen AI Applications
Ready to tackle new AI-driven cybersecurity problems? Join our insightful webinar with Zscaler to tackle the escalating risk of generative AI in cybersecurity.
Supercharge Your Capabilities
The enterprise, in the meanwhile, is still grappling with the fallout from the mass hack focusing on its MOVEit Transfer protected file transfer platform considering the fact that May well 2023. Far more than 2,100 businesses and over 62 million men and women are believed to have been impacted, in accordance to Emsisoft.
Identified this article interesting? Observe us on Twitter and LinkedIn to read through additional exclusive information we post.
Some sections of this article are sourced from:
thehackernews.com
Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts