Ipswitch Ipswitch

  1. Vendors
  2. Ipswitch

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Ipswitch product.

RSS Feeds for Ipswitch security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Ipswitch products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Ipswitch Sorted by Most Security Vulnerabilities since 2018

Ipswitch Ws Ftp Server20 vulnerabilities

Ipswitch Whatsup Gold11 vulnerabilities

Ipswitch Imail4 vulnerabilities

Ipswitch Moveit Transfer4 vulnerabilities

Ipswitch Moveit1 vulnerability

Ipswitch Ws Ftp Pro1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Ipswitch. Ipswitch did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 5 6.50
2023 8 7.83
2022 5 6.38
2021 0 0.00
2020 0 0.00
2019 6 8.95
2018 5 9.80

It may take a day or so for new Ipswitch vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ipswitch Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-8785 Dec 02, 2024
WhatsUp Gold NmAPI.exe Remote Unauthenticated Registry Manipulation Vulnerability In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.
Whatsup Gold
CVE-2024-9999 Nov 12, 2024
Auth Bypass in WS_FTP Server <8.8.9 via Web Transfer Module In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
Ws Ftp Server
CVE-2024-7745 Aug 28, 2024
WS_FTP Server <=8.8.7 MFA Bypass in Web Transfer In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
Ws Ftp Server
CVE-2024-7744 Aug 28, 2024
WS_FTP Server <8.8.8: Web Transfer Path Traversal Allows Arbitrary File Download In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal.   An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:)
Ws Ftp Server
CVE-2024-1474 Feb 21, 2024
WS_FTP Server vulnerable to reflected XSS in admin interface before 8.8.5 In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface.
Ws Ftp Server
CVE-2023-6366 Dec 14, 2023
WhatsUp Gold <2023.1 Stored XSS in Alert Center In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.
Whatsup Gold
CVE-2023-42659 Nov 07, 2023
Unrestricted File Upload in WS_FTP Server <8.7.6/8.8.4 In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.
Ws Ftp Server
CVE-2023-42657 Sep 27, 2023
WS_FTP Server <8.7.4 or <8.8.2: Directory Traversal Allowing File Ops In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered.  An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path.  Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.
Ws Ftp Server
CVE-2023-40049 Sep 27, 2023
WS_FTP Server <8.8.2 Directory Enumeration via WebServiceHost In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing.
Ws Ftp Server
CVE-2023-40048 Sep 27, 2023
WS_FTP Server POST CSRF vulnerability pre-8.8.2 In WS_FTP Server version prior to 8.8.2, the WS_FTP Server Manager interface was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function.
Ws Ftp Server
CVE-2023-40046 Sep 27, 2023
SQLi in WS_FTP Server Manager pre 8.7.4 & 8.8.2 In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
Ws Ftp Server
CVE-2023-40044 Sep 27, 2023
WS_FTP Server <8.7.4/8.8.2 .NET Deserialization Enables Remote Cmd Exec In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
Ws Ftp Server
CVE-2023-35708 Jun 16, 2023
MOVEit Transfer SQLi in MOVEit Transfer < 2021.0.8 (Unauth DB Access) In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Moveit Transfer
CVE-2022-36967 Aug 02, 2022
WS_FTP Server <8.7.3: Reflected XSS in Admin Web Interface In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser.
Ws Ftp Server
CVE-2022-29845 May 11, 2022
In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file.
Whatsup Gold
CVE-2022-29846 May 11, 2022
In Progress Ipswitch WhatsUp Gold 16.1 through 21.1.1 In Progress Ipswitch WhatsUp Gold 16.1 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to obtain the WhatsUp Gold installation serial number.
Whatsup Gold
CVE-2022-29847 May 11, 2022
In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.
Whatsup Gold
CVE-2022-29848 May 11, 2022
In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attributes from a host that is accessible by the WhatsUp Gold system.
Whatsup Gold
CVE-2019-18465 Oct 31, 2019
In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. The vulnerability affects only certain SSH (SFTP) configurations, and is applicable only if the MySQL database is being used.
Moveit Transfer
CVE-2019-18464 Oct 31, 2019
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database.
Moveit Transfer
CVE-2019-16383 Sep 24, 2019
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection.
Moveit Transfer
CVE-2019-12146 Jun 11, 2019
A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1 A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. Attackers have the ability to abuse a flaw in the SCP listener by crafting strings using specific patterns to write files and create directories outside of their authorized directory.
Ws Ftp Server
CVE-2019-12145 Jun 11, 2019
A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1 A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose path names on the host operating system.
Ws Ftp Server
CVE-2019-12144 Jun 11, 2019
An issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1 An issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. Attackers have the ability to abuse a path traversal vulnerability using the SCP protocol. Attackers who leverage this flaw could also obtain remote code execution by crafting a payload that abuses the SITE command feature.
Ws Ftp Server
CVE-2018-8939 May 01, 2018
An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0) An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.
Whatsup Gold
CVE-2018-8938 May 01, 2018
A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0) A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.
Whatsup Gold
CVE-2018-6545 Feb 02, 2018
Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability, as demonstrated by human.aspx Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability, as demonstrated by human.aspx. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks.
Moveit
CVE-2018-5778 Jan 24, 2018
An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1) An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors.
Whatsup Gold
CVE-2018-5777 Jan 24, 2018
An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1) An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Remote clients can take advantage of a misconfiguration in the TFTP server that could allow attackers to execute arbitrary commands on the TFTP server via unspecified vectors.
Whatsup Gold
CVE-2006-5001 Sep 26, 2006
Unspecified vulnerability in the log analyzer in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, prevents certain sensitive information Unspecified vulnerability in the log analyzer in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, prevents certain sensitive information from being displayed in the (1) Files and (2) Summary tabs. NOTE: in the early publication of this identifier on 20060926, the description was used for the wrong issue.
Ws Ftp Server
CVE-2006-5000 Sep 26, 2006
Multiple buffer overflows in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, have unknown impact and remote authenticated attack vectors Multiple buffer overflows in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, have unknown impact and remote authenticated attack vectors via the (1) XCRC, (2) XMD5, and (3) XSHA1 commands. NOTE: in the early publication of this identifier on 20060926, the description was used for the wrong issue.
Ws Ftp Server
CVE-2006-4847 Sep 19, 2006
Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands.
Ws Ftp Server
CVE-2005-2160 Jul 06, 2005
IMail stores usernames and passwords in cleartext in a cookie, which IMail stores usernames and passwords in cleartext in a cookie, which allows remote attackers to obtain sensitive information.
Imail
CVE-2004-1848 Dec 31, 2004
Ipswitch WS_FTP Server 4.0.2 Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial of service (disk consumption) and bypass file size restrictions via a REST command with a large size argument, followed by a STOR of a smaller file.
Ws Ftp Server
CVE-2004-0799 Oct 20, 2004
The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm".
Whatsup Gold
CVE-2004-1884 Mar 23, 2004
Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access.
Ws Ftp Server
Ws Ftp Pro
CVE-2003-0772 Sep 22, 2003
Multiple buffer overflows in WS_FTP 3 and 4 Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments.
Ws Ftp Server
CVE-2000-0019 Mar 04, 1999
IMail POP3 daemon uses weak encryption, which IMail POP3 daemon uses weak encryption, which allows local users to read files.
Imail
CVE-1999-1171 Feb 02, 1999
IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.
Imail
CVE-1999-1170 Jan 02, 1999
IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920. IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.
Imail
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.