JSCAPE Secure FTP Applet suffers from a man-in-the-middle vulnerability

Risk: Medium
Local: No
Remote: Yes
CWE: CWE-287

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

The JSCAPE Secure FTP Applet suffers from a man-in-the-middle vulnerability. JSCAPE software has been deployed in a wide array of industries including aerospace, banking, communications, education, insurance, finance, government and software. With customers in more than 50 countries worldwide the following is a small sample of companies who use JSCAPE products and services. Customers include Boeing, SUN, ISS, SAP - See http://www.jscape.com/clients.html for more details. The JSCAPE Secure FTP Applet is a secure FTP client that runs within Java enabled web browsers. The software supports SFTP (FTP over SSH) and FTPS (FTP over SSL) for encrypted file transfer. To prevent man-in-the-middle attacks it is important to check the authenticity of the destination server by verifying the host key of the server when establishing the SSH connection. With previous versions of the JSCAPE Secure FTP applet it was not possible to verify the authenticity of the destination server. When using affected versions of the JSCAPE secure FTP applet, users are not able to identify man-in-the-middle attacks. The supposedly secure connection is no longer secure. An attacker is able to eavesdrop on the connection in order to extract username and password or take over the initiated session.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top