proftpd · threatengine.sh

CVE-2010-20103

all versions

A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 20

9.8CRITICAL

CVE-2023-51713

< 1.3.8a

make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quo

7.5HIGH

CVE-2023-48795

<= 1.3.8b

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attacker

5.9MEDIUM

CVE-2021-46854

< 1.3.7c

mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.

7.5HIGH

CVE-2020-9273

all versions

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-f

8.8HIGH

CVE-2020-9272

< 1.3.6c

ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function.

7.5HIGH

CVE-2019-19269

<= 1.3.5e

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is re

4.9MEDIUM

CVE-2019-19272

< 1.3.6

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to

7.5HIGH

CVE-2019-19271

< 1.3.6

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certifi

7.5HIGH

CVE-2019-19270

<= 1.3.5

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (ch

7.5HIGH

CVE-2019-18217

<= 1.3.5

ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of ove

7.5HIGH

CVE-2019-12815

<= 1.3.5b

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosu

9.8CRITICAL

CVE-2017-7418

<= 1.3.5

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link throug

5.5MEDIUM

CVE-2016-3125

<= 1.3.5

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which

7.5HIGH

CVE-2015-3306

all versions

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto

CVE-2013-4359

all versions

Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memor

CVE-2012-6095

<= 1.3.4

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a r

CVE-2011-4130

<= 1.3.3

Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary c

CVE-2011-1137

<= 1.3.3

Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of serv

CVE-2010-4652

<= 1.3.3

Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled

CVE-2010-4221

all versions

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attack

CVE-2010-3867

all versions

Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users

CVE-2008-7265

<= 1.3.2

The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote authenticated users to cause a denial of service (CPU consumpti

CVE-2009-3639

<= 1.3.2

The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not p

CVE-2009-0543

all versions

ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid,

CVE-2009-0542

all versions

SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via

CVE-2008-4242

all versions

ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-sit

CVE-2007-2165

<= 1.3.0_rc1

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that t

CVE-2006-6563

all versions

Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 al

CVE-2006-6171

<= 1.3.0a

ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration fi

CVE-2006-6170

<= 1.3.0a

Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly o

CVE-2006-5815

<= 1.3.0

Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated,

CVE-2005-4816

all versions

Buffer overflow in mod_radius in ProFTPD before 1.3.0rc2 allows remote attackers to cause a denial of service (crash) and possibly

CVE-2005-2390

all versions

Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow attackers to cause a denial of service or obtain sensitive

CVE-2004-0346

>= 1.2.7 and < 1.2.9

Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a

7.8HIGH

CVE-2004-1602

>= 1.2.0 and <= 1.2.10

ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remot

CVE-2004-0432

all versions

ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clie

CVE-2003-0831

all versions

ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows

CVE-2003-0500

all versions

SQL injection vulnerability in the PostgreSQL authentication module (mod_sql_postgres) for ProFTPD before 1.2.9rc1 allows remote a

CVE-2001-1501

all versions

The glob functionality in ProFTPD 1.2.1, and possibly other versions allows remote attackers to cause a denial of service (CPU and

CVE-2001-1500

all versions

ProFTPD 1.2.2rc2, and possibly other versions, does not properly verify reverse-resolved hostnames by performing forward resolutio

CVE-2001-0318

all versions

Format string vulnerability in ProFTPD 1.2.0rc2 may allow attackers to execute arbitrary commands by shutting down the FTP server

CVE-2001-0136

all versions

Memory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a denial of service via a series of USER commands, and possibly S

CVE-2001-0027

all versions

mod_sqlpw module in ProFTPD does not reset a cached password when a user uses the "user" command to change accounts, which allows

CVE-1999-1475

all versions

ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords in the wtmp log file, which allows local users to obtain the

CVE-1999-0911

all versions

Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands

CVE-1999-0368

all versions

Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remote root access, a.k.a. palmetto.