-Affected products: WinSCP 4.03 and older
By default WinSCP installs url protocol handlers for the scp:// and sftp:// protocols.
These could be used by malicious web content to automatically upload any file from the local system to a remote server, or automatically download files from a remote server to the local system.
Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack.
On a machine you control set up an scp-only account with the username "scp" with any password.
Place this on a website: