SenderEmail Parameter XSS Vulnerability 

(CVE-2021-32604)

Download PDF

Security Advisory Summary

SolarWinds Serv-U FTP Server versions through to 15.2.2.573 do not correctly sanitise and validate the user-supplied 'SenderEmail' parameter, allowing malicious JavaScript to be injected into a publicly shareable URL, when the supplied URL is reached the XSS payload is triggered.

Affected Products

  • Serv-U 15.2.2 and earlier

Fixed Software Release

Acknowledgments

  • Trustwave to Victor Kahan of Trustwave

Advisory Details

Severity

6.9 Medium

Advisory ID

First Published

05/05/2021

Fixed Version

Serv-U 15.2.3

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N