Surgeftp

Buffer overflow in NetWin SurgeFTP before 23d2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string within the authentication request.

Published: 2013-08-09T21:00:00.000Z
Updated: 2024-08-06T16:52:27.001Z

Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to `surgeftpmgr.cgi`. This can lead to full remote code execution on the underlying system.

Published: 2025-08-05T20:04:20.181Z
Updated: 2026-05-15T11:13:55.331Z

Cross-site scripting (XSS) vulnerability in the mirrored server management interface in SurgeFTP 2.3a1 allows user-assisted, remote FTP servers to inject arbitrary web script or HTML via a malformed response without a status code, which is reflected to the user in the resulting error message. NOTE: this can be leveraged for root access via a sequence of steps involving web script that creates a new FTP user account.

Published: 2007-07-15T21:00:00.000Z
Updated: 2024-08-07T14:28:52.476Z

The mirror mechanism in SurgeFTP 2.3a1 allows user-assisted, remote FTP servers to cause a denial of service (restart) via a malformed response to a PASV command.

Published: 2007-07-15T21:00:00.000Z
Updated: 2024-08-07T14:28:52.379Z

NetWin SurgeFTP prior to 1.1h allows a remote attacker to cause a denial of service (crash) via an 'ls ..' command.

Published: 2002-03-09T05:00:00.000Z
Updated: 2024-08-08T04:30:06.066Z