CVE-2020-27735
published 2021-01-26CVE-2020-27735: An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of…
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
5.63%
92.0th percentile
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wftpserver | wing_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /help/english/index.html with a javascript: URI as the query parameter; a vulnerable Wing FTP 6.4.4 server will reflect an <iframe src=javascript:alert(document.domain)> element in the response body with HTTP 200 and Content-Type: text/html. ↗
- →Confirm the response Content-Type header contains 'text/html' and HTTP status code is 200 as additional confirmation of the vulnerable endpoint. ↗
- ·Vulnerability is specific to Wing FTP Server version 6.4.4 only; other versions are not confirmed affected by this CVE. ↗
- ·The XSS payload executes in a sandboxed context (sandboxed IFRAME), which may limit the impact compared to a fully unsandboxed XSS. ↗
- ·Exploitation requires user interaction (UI:R) — the victim must follow a crafted link to the help page. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Wing FTP 6.4.4 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-27735 [MEDIUM] Wing FTP 6.4.4 - Cross-Site Scripting
Wing FTP 6.4.4 - Cross-Site Scripting
Wing FTP 6.4.4 is vulnerable to cross-site scripting via its web interface because an arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
Template:
id: CVE-2020-27735
info:
name: Wing FTP 6.4.4 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: |
Wing FTP 6.4.4 is vulnerable to cross-site scripting via its web interface because an arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code i
No writeups or analysis indexed.
2021-01-26
Published