CVE-2023-42659

In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified.  An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
ProgressSoftwareCNA
9.1 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
progressws_ftp_server
𝑥
< 8.7.6
progressws_ftp_server
8.8.0 ≤
𝑥
< 8.8.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023
https://www.progress.com/ws_ftp
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023
https://www.progress.com/ws_ftp