CVE-2020-28001

Stored cross-site scripting in Serv-U File Server by SolarWinds | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

SolarWinds Serv-U FTP server through 15.2.1 does not correctly sanitize and validate the user-supplied directory names, allowing malicious users to create directories that when clicked on (in the breadcrumb menu) will trigger XSS payloads.

Successful exploitation of this issue may allow an attacker to perform unauthorised actions in the user’s security context.

Affected Versions

Discovered in: 15.2.1

Fixed Versions

Fixed in: 15.2.2

Latest News

Living off the land (LotL) Attacks: How cybercriminals exploit your own tools

Living off the land (LotL) Attacks: AI and Machine Learning as your best defence

You’ve chosen a managed IT service provider – what comes next?

See All News