Main Vulnerability Database Vulnerabilities #VU18943

#VU18943 OS Command Injection in FileZilla

Published: June 29, 2019

Vulnerability identifier: #VU18943

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
FileZilla

Software vendor:
FileZilla

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of filenames that contain double-quotation marks when opening or editing files. A remote unauthenticated attacker that controls a remote server can trick the victim to connect to a malicious server to open a file with a specially crafted filename and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://filezilla-project.org/versions.php#3.43.0