CVE-2018-20684

HIGH

WinSCP < 5.13.7 - Arbitrary File Write via SCP File Transfer

Title source: llm
STIX 2.1

Description

In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106526
Release Notes, Vendor Advisory x_refsource_misc
https://winscp.net/eng/docs/history
Patch, Vendor Advisory x_refsource_misc
https://winscp.net/tracker/1675
Mitigation, Third Party Advisory x_refsource_misc
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Scores

CVSS v3 7.5
EPSS 0.0253
EPSS Percentile 82.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (1)
winscp/winscp < 5.13.7
Published Jan 10, 2019
Tracked Since Feb 18, 2026