id: CVE-2023-22629 info: name: TitanFTP move-file Function ≤ 1.94.1205 - Path Traversal author: pussycat0x severity: high description: | TitanFTP versions up to 1.94.1205 contain a path traversal vulnerability in the move-file function where the newPath parameter is improperly validated. An authenticated user can upload a file and then move it to any location on the server filesystem, potentially allowing arbitrary file placement and system compromise. impact: | Authenticated attackers can exploit the move-file function to place files anywhere on the server filesystem using path traversal techniques, potentially overwriting system files, planting malicious executables, or compromising server integrity. remediation: | Upgrade to TitanFTP version newer than 1.94.1205 that properly validates the newPath parameter in the move-file function. reference: - http://packetstormsecurity.com/files/171737/Titan-FTP-Path-Traversal.html - https://titanftp.com - https://www.southrivertech.com/software/nextgen/titanftp/en/relnotes.pdf classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-22629 cwe-id: CWE-22 epss-score: 0.65083 epss-percentile: 0.98506 cpe: cpe:2.3:a:southrivertech:titan_ftp_server:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: southrivertech product: titan_ftp_server shodan-query: product:"Titan ftpd" tags: cve,cve2023,network,ftp,titan-ftp,tcp,passive,vuln tcp: - inputs: - data: 00000000 type: hex host: - "{{Hostname}}" port: 21 read-size: 1024 matchers: - type: dsl dsl: - "contains(raw, 'TitanFTP')" - "compare_versions(version, '<= 1.94.1205')" condition: and extractors: - type: regex group: 1 name: version regex: - "TitanFTP ([0-9.]+)" # digest: 4a0a004730450220698805bee074f97e12dd0515a2413926f65905806294d045d29077c3d0160f35022100deb1f041cfd6a3135622fe2b1d7419dfc7472cc50f7cdff4f15814a6ab845b89:922c64590222798bb761d5b6d8e72950