Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.08998 Percentile:
0.9223
CVSS Scoring
CVSS v2 Score: 7.1
Severity:
Mapped CWE(s)
CWE-88
: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
All CAPEC(s)
CAPEC-137: Parameter Injection
CAPEC-174: Flash Parameter Injection
CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads