Title: Stored cross-site scripting in Serv-U File Server by SolarWinds
Discovery: Jack Misiura on behalf of The Missing Link Security
SolarWinds Serv-U FTP server through 15.2.1 does not correctly sanitize and validate the user-supplied directory names, allowing malicious users to create directories that when clicked on (in the breadcrumb menu) will trigger XSS payloads.
Successful exploitation of this issue may allow an attacker to perform unauthorised actions in the user’s security context.
Discovered in: 15.2.1
Fixed in: 15.2.2
SolarWinds would like to thank Jack Misiura for reporting this vulnerability.