Serv U
by Rhinosoft
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-35252 | 0.00 | — | 0.01 | Dec 16, 2022 | Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. | |||
| CVE-2021-35249 | 0.00 | — | 0.01 | May 17, 2022 | This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a… | |||
| CVE-2021-35245 | 0.00 | — | 0.01 | Dec 6, 2021 | When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine. | |||
| CVE-2001-1463 | 0.00 | — | 0.03 | Nov 19, 2001 | The remote administration client for RhinoSoft Serv-U 3.0 sends the user password in plaintext even when S/KEY One-Time Password (OTP) authentication is enabled, which allows remote attackers to sniff passwords. |
- CVE-2021-35252Dec 16, 2022risk 0.00cvss —epss 0.01
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.
- CVE-2021-35249May 17, 2022risk 0.00cvss —epss 0.01
This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a…
- CVE-2021-35245Dec 6, 2021risk 0.00cvss —epss 0.01
When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.
- CVE-2001-1463Nov 19, 2001risk 0.00cvss —epss 0.03
The remote administration client for RhinoSoft Serv-U 3.0 sends the user password in plaintext even when S/KEY One-Time Password (OTP) authentication is enabled, which allows remote attackers to sniff passwords.
Page 2 of 2