CVE-2009-3478

FireFTP 1.0.5 - Authenticated Argument Injection via Filename with Double Quotes

Title source: llm
STIX 2.1

Description

Argument injection vulnerability in (1) src/content/js/connection/sftp.js and (2) src/content/js/connection/controlSocket.js.in in FireFTP Extension 1.0.5 for Firefox allows remote authenticated SFTP users to cause victims to alter permissions, delete, download, or move the wrong file via a filename containing " (double quotes), which is not properly filtered or encoded when FireFTP constructs the command to send to psftp.exe.

Scores

EPSS 0.0125
EPSS Percentile 65.9%

Details

CWE
CWE-94
Status published
Products (1)
nightlight/fireftp 1.0.5
Published Sep 29, 2009
Tracked Since Feb 18, 2026