FTP client in Midnight Commander (mc) before 4.5.11 stores usernames and passwords for visited sites in plaintext in the world-readable history file, which allows other local users to gain privileges.

Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.