CVE-2025-27889
LOWDescription
Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| wftpserver | wing_ftp_server |
References
Exploits
Other References
Frequently Asked Questions
What is CVE-2025-27889? +
How severe is CVE-2025-27889? +
What products are affected by CVE-2025-27889? +
How do I check if I'm vulnerable to CVE-2025-27889? +
Related Vulnerabilities
For TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F, an attacker can impersonate a ground station …
HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version …
Insufficient configuration management in the listed devices allows authenticated administrators connected to the local network to tamper with the system.
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. …
Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow …
Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of …