Vulnerability Description
This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP 22.1.0 Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HttpFile class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-17481.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Enterprisedt | Completeftp Server | < 22.1.1 |
Related Weaknesses (CWE)
References
- https://www.zerodayinitiative.com/advisories/ZDI-22-1032/Third Party AdvisoryVDB Entry
- https://www.zerodayinitiative.com/advisories/ZDI-22-1032/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2022-2560?
CVE-2022-2560 is a vulnerability with a CVSS score of 9.1 (CRITICAL). This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP 22.1.0 Server. Authentication is not required to exploit this vulnerability. ...
How severe is CVE-2022-2560?
CVE-2022-2560 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-2560?
Check the references section above for vendor advisories and patch information. Affected products include: Enterprisedt Completeftp Server.