CVE-2020-11708

CRITICAL

ProVide FTP Server < 13.1 - Privilege Escalation via EXECUTE() Feature

Title source: llm

Description

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. Privilege escalation can occur via the /ajax/SetUserInfo messages parameter because of the EXECUTE() feature, which is for executing programs when certain events are triggered.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.provideserver.com/security/

Various Sources x_refsource_misc

https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Privilege%20Escalation%20via%20EXECUTE%28%29

Scores

CVSS v3 9.8

EPSS 0.0156

EPSS Percentile 72.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269

Status published

Products (1)

provideserver/provide_ftp_server < 13.1

Published Apr 12, 2020

Tracked Since Feb 18, 2026