CVE-2020-28001

Vulnerability

SolarWinds Serv-U FTP server versions before 15.2.2 are vulnerable to authenticated stored cross-site scripting (XSS). The application fails to properly sanitize user-supplied directory names. When a directory is created with a maliciously crafted name, the payload executes when the directory name appears in the breadcrumb navigation menu. The vulnerability was discovered in version 15.2.1 and affects releases prior to the fix [1].

Exploitation

To exploit this vulnerability, an attacker must have valid FTP credentials (authenticated access). No special network position is required beyond normal connectivity to the FTP server. The attacker creates a directory with an XSS payload embedded in its name; for example, a name containing JavaScript code such as ``. When administrators or other users navigate the file structure and click on the malicious directory name in the breadcrumb menu, the stored payload executes in their browser session [1].

Impact

A successful attack enables the attacker to perform unauthorized actions in the victim's security context. This can include session hijacking, data exfiltration, or arbitrary actions on the Serv-U web interface as the affected user. The impact is limited to the scope of the logged-in user's privileges, but may lead to further compromise if an administrator is targeted [1].

Mitigation

The vulnerability is fixed in SolarWinds Serv-U version 15.2.2, released in October 2020. All users running Serv-U 15.2.1 or earlier should upgrade to version 15.2.2 immediately. No workarounds are documented in available references. The missing link advisory provides full details [1].