CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27889: Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an...

3.4 CVSS

Description

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.

Classification

CVE ID: CVE-2025-27889

CVSS Base Severity: LOW

CVSS Base Score: 3.4

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Problem Types

CWE-15 External Control of System or Configuration Setting

Affected Products

Vendor: wftpserver

Product: Wing FTP Server

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27889
https://www.wftpserver.com/wftpserver.htm
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt

Timeline

2025-07-10 17:40:16 UTC
CVE

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an...