CVE-2020-11704

Published: Apr 12, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Web Interface has Multiple Stored and Reflected XSS. GetInheritedProperties is Reflected via the groups parameter. GetUserInfo is Reflected via POST data. SetUserInfo is Stored via the general parameter.

Affected (1)

Products: Provideserver: Provide Ftp Server

1 product

Provide Ftp Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Provideserver Provide Ftp Server	Up to 13.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Multiple%20Cross-Site-Scripting

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.provideserver.com/security/

Source: cve@mitre.org

Vendor Advisory

https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Multiple%20Cross-Site-Scripting

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.provideserver.com/security/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.