CVE-2023-40053: 
Serv-U Managed File Transfer Server vulnerability analysis and mitigation

A vulnerability (CVE-2023-40053) was identified in SolarWinds Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature, which could be used maliciously. The vulnerability was disclosed on December 5, 2023, affecting Serv-U versions 15.4 HF2 and earlier (SolarWinds Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N. The vulnerability is classified as CWE-20 (Improper Input Validation) according to SolarWinds (NVD).

The vulnerability allows authenticated users to perform HTML injection through the file share function feature, potentially leading to malicious content insertion. The CVSS scoring indicates that while the vulnerability requires low attack complexity, it has limited impact on integrity with no direct effect on confidentiality or availability (NVD).

SolarWinds has released version 15.4.1 to address this vulnerability. Users are advised to upgrade to this version to mitigate the security risk (Release Notes).