Reflected XSS in SolarWinds Serv-U FTP Server | The Missing Link

Discovered by Chris Moberly on behalf of The Missing Link Security

Vulnerability Details

The Serv-U FTP Server is vulnerable to a reflected cross-site scripting attack at the following injection points:

**Injection Point: URL Path**
* /Admin/XML
* /Admin/XML/Result.xml

**Injection Point: HTTP POST Parameter**
* /Admin/XML/SMTPResult.xml ('SMTPServer' parameter)

Affected Versions

Discovered in: (current as of Dec 2018)
Fixed in: Serv-U 15.1.6 hotfix 3

Latest News