|Date: (C)2008-02-27 (M)2017-08-08|
|CVSS Score: 6.4||Access Vector: NETWORK|
|Exploitability Subscore: 10.0||Access Complexity: LOW|
|Impact Subscore: 4.9||Authentication: NONE|
| ||Confidentiality: NONE|
| ||Integrity: PARTIAL|
| ||Availability: PARTIAL|
The administration web interface in NetWin SurgeFTP 2.3a2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a large integer in the Content-Length HTTP header, which triggers a NULL pointer dereference when memory allocation fails.