CVE-2025-27889 Information

Jul 12, 2025 cve

Description

Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint allowing injection of an arbitrary link. If a user clicks a crafted link this discloses a cleartext password to the attacker.

Reference

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ https://www.wftpserver.com/wftpserver.htm Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint allowing injection of an arbitrary link. If a user clicks a crafted link this discloses a cleartext password to the attacker.

CNNVD-202507-1509 (Published: 2025-07-10)

Share on:

CVE-2025-27889 Information

Description

Reference

Related CNNVD