Cross Site Scripting in SolarWinds Serv-U Product
CVE-2020-22428

4.8MEDIUM

Key Information:

Vendor
Solarwinds
Status
Serv-u Ftp Server
Serv-u Mft Server
Vendor
CVE Published:
5 May 2021

Summary

The vulnerability in SolarWinds Serv-U allows malicious actors to inject JavaScript payloads through directory names specified by an admin. This Cross Site Scripting (XSS) issue could enable attackers to execute unauthorized scripts in the context of a user's session, potentially leading to data theft or session hijacking. Users of Serv-U versions prior to 15.1.6 Hotfix 3 should take immediate action to mitigate this risk.

References

https://www.linkedin.com/in/gabrielegristina
x_refsource_MISC
https://twitter.com/gm4tr1x
x_refsource_MISC
https://github.com/matrix
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.