Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program.

Wing FTP Server before 4.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via two zip commands.

Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user account or (2) reconfigure the state of the FTP service, as demonstrated by a request to usermanager/users/modify.

The default configuration of Cerberus FTP Server before 5.0.4.0 supports the DES cipher for SSH sessions, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and performing a brute-force attack on the encrypted data.

FTPService.exe in Blackmoon FTP 3.1 Build 1735 and Build 1736 (3.1.7.1736), and possibly other versions before 3.1.8.1737, allows remote attackers to cause a denial of service (crash) via a large number of PORT commands with long arguments, which triggers a NULL pointer dereference. NOTE: some of these details are obtained from third party information.

Cerberus FTP Server before 4.0.3.0 allows remote authenticated users to list hidden files, even when the "Display hidden files" option is enabled, via the (1) MLSD or (2) MLST commands.

Cross-site scripting (XSS) vulnerability in admin_loginok.html in the Administrator web interface in Wing FTP Server for Windows 3.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted POST request.

Directory traversal vulnerability in TitanFTPd in South River Technologies Titan FTP Server 8.10.1125, and probably earlier versions, allows remote authenticated users to read or delete arbitrary files via "..//" sequences in a COMB command.

Directory traversal vulnerability in TitanFTPd in South River Technologies Titan FTP Server 8.10.1125, and probably earlier versions, allows remote authenticated users to read arbitrary files, determine file size, via "..//" sequences in the xcrc command.

Multiple SQL injection vulnerabilities in Xlight FTP Server before 3.2.1, when ODBC authentication is enabled, allow remote attackers to execute arbitrary SQL commands via the (1) USER (aka username) or (2) PASS (aka password) command.