Search
Search Results (30 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2010-4652 | 1 Proftpd | 1 Proftpd | 2025-04-11 | N/A |
| Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query. | ||||
| CVE-2009-3639 | 1 Proftpd | 1 Proftpd | 2025-04-09 | N/A |
| The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | ||||
| CVE-2009-0543 | 1 Proftpd | 1 Proftpd | 2025-04-09 | N/A |
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres. | ||||
| CVE-2020-9273 | 5 Debian, Fedoraproject, Opensuse and 2 more | 9 Debian Linux, Fedora, Backports Sle and 6 more | 2024-11-21 | 8.8 High |
| In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution. | ||||
| CVE-2020-9272 | 3 Opensuse, Proftpd, Siemens | 7 Backports Sle, Leap, Proftpd and 4 more | 2024-11-21 | 7.5 High |
| ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function. | ||||
| CVE-2019-19272 | 1 Proftpd | 1 Proftpd | 2024-11-21 | 7.5 High |
| An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup. | ||||
| CVE-2019-19271 | 1 Proftpd | 1 Proftpd | 2024-11-21 | 7.5 High |
| An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server. | ||||
| CVE-2019-19270 | 2 Fedoraproject, Proftpd | 2 Fedora, Proftpd | 2024-11-21 | 7.5 High |
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server. | ||||
| CVE-2019-19269 | 3 Debian, Fedoraproject, Proftpd | 3 Debian Linux, Fedora, Proftpd | 2024-11-21 | 4.9 Medium |
| An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup. | ||||
| CVE-2019-18217 | 1 Proftpd | 1 Proftpd | 2024-11-21 | 7.5 High |
| ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop. | ||||