CVE-2024-45714: 
Serv-U Managed File Transfer Server vulnerability analysis and mitigation

CVE-2024-45714 is a Cross-Site Scripting (XSS) vulnerability discovered in SolarWinds Serv-U software. The vulnerability was disclosed on October 16, 2024, affecting Serv-U versions 15.4.2.3 and earlier. This security flaw allows an authenticated attacker with user permissions to modify variables with malicious payloads (SolarWinds Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.1 (MEDIUM) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N. SolarWinds has assigned it a slightly different score of 4.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers to execute cross-site scripting attacks by modifying variables with malicious payloads. This could potentially lead to unauthorized access to sensitive information or manipulation of web content within the application (Cyble Report).

SolarWinds has released version 15.5 of Serv-U to address this vulnerability. Users are strongly advised to upgrade to this latest version to mitigate the risk (SolarWinds Advisory).