CVE-2022-27665: 
WS_FTP Server vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability exists in Progress Ipswitch WS_FTP Server 8.6.0, tracked as CVE-2022-27665. The vulnerability was discovered on March 22, 2022, and publicly disclosed on April 3, 2023. The vulnerability allows attackers to execute malicious code and commands on the client side through AngularJS sandbox escape expressions (Hacker News, NVD).

The vulnerability is caused by improper handling of user-provided input in the subdirectory searchbar and Add folder filename boxes. Specifically, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability can lead to the execution of malicious code and commands on the client side. The attack requires user interaction and can result in compromised confidentiality and integrity of the affected system (NVD).

Users are advised to upgrade to WSFTP Server 2022.0.2 (8.8.2) or WSFTP Server 2020.0.4 (8.7.4) as referenced in the Progress security advisory (Progress Release Notes).