Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI.
References
Link | Resource |
---|---|
http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0196.html | Broken Link |
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046810.html | Broken Link Exploit |
http://secunia.com/advisories/20575 | Broken Link Vendor Advisory |
http://winscp.net/eng/docs/history#3.8.2 | Release Notes |
http://www.kb.cert.org/vuls/id/912588 | Third Party Advisory US Government Resource |
http://www.securityfocus.com/bid/18384 | Broken Link Exploit Third Party Advisory VDB Entry |
http://www.vupen.com/english/advisories/2006/2289 | Broken Link |
https://exchange.xforce.ibmcloud.com/vulnerabilities/27075 | Third Party Advisory VDB Entry |
Configurations
History
13 Feb 2024, 17:49
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-88 | |
CPE | cpe:2.3:a:winscp:winscp:3.8.1:*:*:*:*:*:*:* | |
References | () http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0196.html - Broken Link | |
References | () http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046810.html - Broken Link, Exploit | |
References | () http://secunia.com/advisories/20575 - Broken Link, Vendor Advisory | |
References | () http://winscp.net/eng/docs/history#3.8.2 - Release Notes | |
References | () http://www.kb.cert.org/vuls/id/912588 - Third Party Advisory, US Government Resource | |
References | () http://www.securityfocus.com/bid/18384 - Broken Link, Exploit, Third Party Advisory, VDB Entry | |
References | () http://www.vupen.com/english/advisories/2006/2289 - Broken Link | |
References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/27075 - Third Party Advisory, VDB Entry |
Information
Published : 2006-06-14 15:06
Updated : 2024-02-13 17:49
NVD link : CVE-2006-3015
Mitre link : CVE-2006-3015
CVE.ORG link : CVE-2006-3015
JSON object : View
Products Affected
winscp
- winscp
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')