vendor:
NetFile FTP/Webserver
by:
SecurityFocus
7.5
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: NetFile FTP/Webserver
Affected Version From: 6.0.3.588
Affected Version To: 6.0.3.588
Patch Exists: YES
Related CWE: N/A
CPE: a:netfile:netfile_ftp/webserver
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002
NetFile Cross-Site Scripting Vulnerability
It has been reported that a cross-site scripting vulnerability may exist in NetFile that may allow remote attackers to execute HTML or script code in a user's browser. The issue is reported to occur due to a "404 Not Found" error message returned to the user due to a request for a URL that does not exist. The error message reportedly contains the bad URL which is not properly sanitized therefore allowing an attacker to a construct a malicious link containing HTML or script code that may be rendered in a user's browser. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks.
Mitigation:
Input validation should be used to ensure that user-supplied data is properly sanitized before being used in the application.
