Details of VAR-201006-0451

ID

VAR-201006-0451

CVE

CVE-2010-2428

TITLE

Windows For Wing FTP Server of Administrator Web Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2010-005558

DESCRIPTION

Cross-site scripting (XSS) vulnerability in admin_loginok.html in the Administrator web interface in Wing FTP Server for Windows 3.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted POST request. Wing FTP server is a multi-protocol file server that supports HTTP and FTP. The Wing FTP server's Administrator console interface (http://x.x.x.x:5466/admin_loginok.html port is 5466) does not properly filter user-submitted requests. A remote attacker can perform a cross-site scripting attack by submitting a special build POST request. Wing FTP Server is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible

Trust: 2.43

sources: NVD: CVE-2010-2428 // JVNDB: JVNDB-2010-005558 // CNVD: CNVD-2010-1050 // BID: 40510

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2010-1050

AFFECTED PRODUCTS

vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.3.5	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.4.0	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.4.1	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.2.0	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.4.3	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.1.0	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.4.2	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.0.0	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.4.5	Trust: 1.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	1.1	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	2.0	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.1.2	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	lte	version:	3.5.0	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.3.0	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	1.3	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	1.4	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	1.6	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.3.4	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	2.1	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	1.5	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	2.3	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.2.8	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	1.2	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.2.4	Trust: 1.0
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	2.4	Trust: 1.0
vendor:	wing ftp	model:	server	scope:	lte	version:	3.5.0	Trust: 0.8
vendor:	no	model:	-	scope:	-	version:	-	Trust: 0.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.5.0	Trust: 0.6
vendor:	wftpserver	model:	wing ftp server	scope:	eq	version:	3.5	Trust: 0.3

sources: CNVD: CNVD-2010-1050 // BID: 40510 // JVNDB: JVNDB-2010-005558 // CNNVD: CNNVD-201006-390 // NVD: CVE-2010-2428

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-2428
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-2428
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201006-390
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2010-2428
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2010-005558 // CNNVD: CNNVD-201006-390 // NVD: CVE-2010-2428

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2010-005558 // NVD: CVE-2010-2428

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201006-390

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201006-390

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-005558

PATCH

title:

Top Page

url:

http://www.wftpserver.com/

Trust: 0.8

sources: JVNDB: JVNDB-2010-005558

EXTERNAL IDS

db:	NVD	id:	CVE-2010-2428	Trust: 2.7
db:	BID	id:	40510	Trust: 2.5
db:	OSVDB	id:	65444	Trust: 1.6
db:	JVNDB	id:	JVNDB-2010-005558	Trust: 0.8
db:	CNVD	id:	CNVD-2010-1050	Trust: 0.6
db:	FULLDISC	id:	20100607 RE: WING FTP SERVER - CROSS SITE SCRIPTING VULNERABILITY	Trust: 0.6
db:	FULLDISC	id:	20100602 WING FTP SERVER - CROSS SITE SCRIPTING VULNERABILITY	Trust: 0.6
db:	BUGTRAQ	id:	20100602 WING FTP SERVER - CROSS SITE SCRIPTING VULNERABILITY	Trust: 0.6
db:	XF	id:	59094	Trust: 0.6
db:	CNNVD	id:	CNNVD-201006-390	Trust: 0.6

sources: CNVD: CNVD-2010-1050 // BID: 40510 // JVNDB: JVNDB-2010-005558 // CNNVD: CNNVD-201006-390 // NVD: CVE-2010-2428

REFERENCES

url:	http://www.securityfocus.com/bid/40510	Trust: 1.6
url:	http://www.osvdb.org/65444	Trust: 1.6
url:	http://seclists.org/fulldisclosure/2010/jun/49	Trust: 1.6
url:	http://seclists.org/fulldisclosure/2010/jun/128	Trust: 1.6
url:	http://labs-werew01f.sectester.net/2010/06/wing-ftp-server-cross-site-scripting.html	Trust: 1.6
url:	http://archives.neohapsis.com/archives/bugtraq/2010-06/0031.html	Trust: 1.6
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/59094	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2428	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2428	Trust: 0.8
url:	http://marc.info/?l=bugtraq&m=127549268812962&w=2	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/59094	Trust: 0.6
url:	http://www.wftpserver.com/	Trust: 0.3
url:	/archive/1/511612	Trust: 0.3

sources: CNVD: CNVD-2010-1050 // BID: 40510 // JVNDB: JVNDB-2010-005558 // CNNVD: CNNVD-201006-390 // NVD: CVE-2010-2428

CREDITS

w01f

Trust: 0.3

sources: BID: 40510

SOURCES

db:	CNVD	id:	CNVD-2010-1050
db:	BID	id:	40510
db:	JVNDB	id:	JVNDB-2010-005558
db:	CNNVD	id:	CNNVD-201006-390
db:	NVD	id:	CVE-2010-2428

LAST UPDATE DATE

2025-04-11T22:50:31.387000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2010-1050	date:	2010-06-06T00:00:00
db:	BID	id:	40510	date:	2015-04-13T21:02:00
db:	JVNDB	id:	JVNDB-2010-005558	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201006-390	date:	2010-06-28T00:00:00
db:	NVD	id:	CVE-2010-2428	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2010-1050	date:	2010-06-06T00:00:00
db:	BID	id:	40510	date:	2010-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2010-005558	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-201006-390	date:	2010-06-25T00:00:00
db:	NVD	id:	CVE-2010-2428	date:	2010-06-24T12:17:45.203