CVE-2024-7744

In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal.

An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:)

Published: Aug 28, 2024
Updated: May 4, 2025
CVE: CVE-2024-7744
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
progress / ws_ftp_server	-	8.8.8

https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024
https://www.progress.com/ftp-server

Vulnerability Database

289,697

CVE-2024-7744