SenderEmail Parameter XSS Vulnerability (CVE-2021-32604)

Security Advisory Summary

SolarWinds Serv-U FTP Server versions through to 15.2.2.573 do not correctly sanitise and validate the user-supplied 'SenderEmail' parameter, allowing malicious JavaScript to be injected into a publicly shareable URL, when the supplied URL is reached the XSS payload is triggered.

Affected Products

  • Serv-U 15.2.2 and earlier

Fixed Software Release

Acknowledgments

  • Trustwave to Victor Kahan of Trustwave
Advisory Details
Severity
Medium
Advisory ID

CVE-2021-32604

First Published
05/05/2021
Fixed Version

Serv-U 15.2.3

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Download PDF
Send an Email