Re: WinSCP 5.14...
The article says yes, but https://www.cvedetails.com/cve/CVE-2018-20684 says:
"In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files."
Version 5.13.5 apparently is "before 5.14" but perhaps is not counted?
I think, firewall: don't let your WinSCP play with strange servers.
Having said that, I'm looking at an old WinSCP version here, which says:
"SSH and SCP code based on PuTTY 0.63+"
If WinSCP is based on PuTTY, and PuTTY hasn't been fixed, then...…huh???