icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

WinSCP < 3.8.2 Arbitrary Command Insertion

High

Synopsis

The remote host is vulnerable to an arbitrary 'command insertion' flaw.

Description

The remote host is running WinSCP, a file transfer application that utilizes Secure Shell (SSH) as the transport protocol. This version of WinSCP is vulnerable to a flaw in the way that it parses URI strings. An attacker exploiting this flaw would need to be able to convince a WinSCP user to click on a malicious URI. Successful exploitation would result in the attacker executing arbitrary commands with the rights of the user running WinSCP.

Solution

Upgrade to version 3.8.2 or higher.