exploitDog

CVE-2020-9470

Опубликовано: 07 мар. 2020

Источник: nvd

CVSS3: 7.8

CVSS2: 6.9

EPSS Низкий

Описание

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin directories, which expose active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel.

Ссылки

https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php
Exploit
Third Party Advisory
https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*

Версия до 6.2.5 (включая)

EPSS

Процентиль: 83%

0.0191

Низкий

7.8 High

CVSS3

6.9 Medium

CVSS2

Дефекты

CWE-732

Связанные уязвимости

GHSA-6p46-7gq6-xc33

github

больше 3 лет назад

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin directories, which expose active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel.

EPSS

Процентиль: 83%

0.0191

Низкий

7.8 High

CVSS3

6.9 Medium

CVSS2

Дефекты

CWE-732