Stored cross-site scripting in Serv-U File Server by SolarWinds | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

SolarWinds Serv-U FTP server through 15.2.1 does not correctly sanitize and validate the user-supplied directory names, allowing malicious users to create directories that when clicked on (in the breadcrumb menu) will trigger XSS payloads.

Successful exploitation of this issue may allow an attacker to perform unauthorised actions in the user’s security context.

Affected Versions

Discovered in: 15.2.1

Fixed Versions

Fixed in: 15.2.2

Latest News