vulnerability
WinSCP: CVE-2018-20684: Improper Input Validation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:N/I:P/A:P) | Jan 10, 2019 | Sep 11, 2025 | Sep 11, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
Published
Jan 10, 2019
Added
Sep 11, 2025
Modified
Sep 11, 2025
Description
In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp.
Solution
winscp-winscp-upgrade-latest
References
- CWE-20
- CVE-2018-20684
- https://attackerkb.com/topics/CVE-2018-20684
- URL-http://www.securityfocus.com/bid/106526
- URL-https://github.com/winscp/winscp/commit/49d876f2c5fc00bcedaa986a7cf6dedd6bf16f54
- URL-https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
- URL-https://winscp.net/eng/docs/history
- URL-https://winscp.net/tracker/1675
- URL-https://www.oracle.com/security-alerts/cpujan2020.html
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.