Input Validation vulnerability in Web Client emails that do not go through Secure Mail

FI-2025-005 - Input Validation vulnerability in Web Client emails that do not go through Secure Mail

Severity

Medium

Published Date

28-Apr-2025

Updated Date

28-Apr-2025

Vulnerabilities

CVE-2024-11922

Notes

Description

Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. This could lead to a cross-site scripting attack by a malicious user.

Vulnerabilities

Input Validation vulnerability in Web Client emails that do not go through Secure Mail

Severity

Medium

CVE

CVE-2024-11922

CWE

CWE-79:Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Discovery Date

25-Nov-2024

CSSv3.1

6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products

GoAnywhere MFT Prior to 7.8.0

Vulnerability Notes

Remediation: Mitigation

Limit access to only trustworthy Web Users

Remediation: Vendor Fix

Upgrade to GoAnywhere MFT 7.8.0 or later

References

()

References

CVE-2024-11922

Input Validation vulnerability in Web Client emails that do not go through Secure Mail

FI-2025-005 - Input Validation vulnerability in Web Client emails that do not go through Secure Mail

Notes

Vulnerabilities

Vulnerability Notes

References

References

Privacy Policy

Cookie Policy

Accessibility

Impressum