CVE-2018-19934
Description
SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting (XSS) in the Web management interface via URL path and HTTP POST parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SolarWinds Serv-U FTP Server 15.1.6.25 has a reflected XSS bug in the Web management interface via URL path and HTTP POST parameter.
Vulnerability
SolarWinds Serv-U FTP Server version 15.1.6.25 contains a reflected cross-site scripting (XSS) vulnerability in the Web management interface. The injection points include the URL path, specifically /Admin/XML and /Admin/XML/Result.xml, and the HTTP POST parameter SMTPServer in /Admin/XML/SMTPResult.xml [1].
Exploitation
An attacker can craft a malicious URL or POST request containing a JavaScript payload in the vulnerable parameter. The management interface reflects the input without proper sanitization when processing the request. No authentication is required for the reflection, but the crafted link must be sent to a user who is currently authenticated to the management interface (e.g., via phishing) for the XSS to execute in the user's session [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the management interface. This can lead to session hijacking, defacement, or theft of sensitive data displayed in the interface [1].
Mitigation
The vulnerability was fixed in Serv-U version 15.1.6 hotfix 3, released by SolarWinds. Administrators should upgrade to the patched version immediately [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 15.1.6.25+ 1 more
- (no CPE)range: = 15.1.6.25
- (no CPE)range: =15.1.6.25
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/151474/SolarWinds-Serv-U-FTP-15.1.6.25-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Feb/5mitrex_refsource_MISC
- www.themissinglink.com.au/security-advisories-cve-2018-19934mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.