CVE-2014-2735
WinSCP < 5.5.3 - Man-in-the-Middle Attack via Improper Certificate Hostname Validation
Title source: llmDescription
WinSCP before 5.5.3, when FTP with TLS is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/531847/100/0/threaded
Various Sources x_refsource_confirm
http://winscp.net/eng/docs/history
Various Sources x_refsource_confirm
http://winscp.net/tracker/show_bug.cgi?id=1152
Scores
EPSS
0.0079
EPSS Percentile
52.0%
Details
CWE
CWE-20
Status
published
Products (3)
winscp/winscp
5.5
winscp/winscp
5.5.1
winscp/winscp
< 5.5.2
Published
Apr 22, 2014
Tracked Since
Feb 18, 2026