CVE-2022-27665

CVE-2022-27665 is a medium-severity vulnerability in Progress Ws Ftp Server with a CVSS 3.x base score of 6.1. Its EPSS exploit-prediction score of 33% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-79.

Key facts

Description

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

Frequently asked questions

What is CVE-2022-27665?
Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.
How severe is CVE-2022-27665?
CVE-2022-27665 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2022-27665 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 33% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-27665?
CVE-2022-27665 affects Progress Ws Ftp Server. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-27665?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2022-27665 published?
CVE-2022-27665 was published on 2023-04-03 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Progress Ws Ftp Server

All CVEs affecting Progress Ws Ftp Server →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →