CVE-2019-13182

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server version 15.1.7 [1]. The affected fields are Full Name and HTTP Login Title Text, which do not properly sanitize user-supplied input before storage, allowing arbitrary JavaScript to be injected [1].

Exploitation

An attacker can exploit this vulnerability by submitting malicious JavaScript code in the Full Name or HTTP Login Title Text fields through the web interface. No special network position is required beyond access to the affected web UI; both authenticated and unauthenticated users can trigger the stored XSS [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser when the stored payload is rendered. This can lead to unauthorized actions performed in the user's security context, including session hijacking, credential theft, or other malicious actions [1].

Mitigation

SolarWinds released Serv-U 15.1.7 Hotfix 2 to address this vulnerability [1]. Users should upgrade to this fixed version. No workaround is disclosed in the available references.