9.3

CVE-2007-4909

Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP.  NOTE: this is related to an incomplete fix for CVE-2006-3015.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WinSCPWinSCP Version2.0.0
WinSCPWinSCP Version3.5.5_beta
WinSCPWinSCP Version3.5.6
WinSCPWinSCP Version3.6
WinSCPWinSCP Version3.6.1
WinSCPWinSCP Version3.6.5_beta
WinSCPWinSCP Version3.6.6
WinSCPWinSCP Version3.6.7
WinSCPWinSCP Version3.8.1
WinSCPWinSCP Version3.8.2
WinSCPWinSCP Version4.0.2
WinSCPWinSCP Version4.0.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 13.61% 0.936
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C