Progress Software has issued hotfixes for a critical security vulnerability (with a maximum CVSS score of 10.0) and seven other flaws in its WS_FTP Server Ad hoc Transfer Module and WS_FTP Server manager interface.
The most severe flaw, CVE-2023-40044, affects all versions of the software, allowing a pre-authenticated attacker to exploit a .NET deserialization vulnerability to run remote commands.
Other notable vulnerabilities include:
CVE-2023-42657: A directory traversal flaw.
CVE-2023-40045 & CVE-2022-27665: Reflected cross-site scripting (XSS) vulnerabilities.
CVE-2023-40047: A stored XSS vulnerability in the WS_FTP Server’s Management module.
CVE-2023-40046: An SQL injection vulnerability.
CVE-2023-40048: A cross-site request forgery (CSRF) vulnerability.
CVE-2023-40049: An authentication bypass flaw.
With increasing threats from ransomware groups targeting Progress Software, users are urged to promptly apply the provided patches. Furthermore, Progress Software is currently dealing with the aftermath of a major hack on its MOVEit Transfer platform from May 2023, which affected over 2,100 organizations and 62 million individuals.