CVE-2024-11922 (GCVE-0-2024-11922)

Vulnerability from cvelistv5 – Published: 2025-04-28 20:57 – Updated: 2025-04-28 22:27
VLAI?
Summary
Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.
Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Fortra GoAnywhere MFT Affected: 0 , ≤ 7.7.1 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-11922",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-28T22:27:45.719964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-28T22:27:53.032Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux",
            "64 bit",
            "iSeries",
            "IBM System P",
            "IBM z (Mainframe)",
            "UNIX"
          ],
          "product": "GoAnywhere MFT",
          "vendor": "Fortra",
          "versions": [
            {
              "lessThanOrEqual": "7.7.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-04-22T18:09:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u0026nbsp;insert arbitrary HTML or JavaScript into an email."
            }
          ],
          "value": "Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-28T20:57:37.388Z",
        "orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
        "shortName": "Fortra"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-005"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version 7.8.0"
            }
          ],
          "value": "Upgrade to version 7.8.0"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Input Validation vulnerability in Web Client emails that do not go through Secure Mail",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.055);\"\u003eLimit access to only trustworthy Web Users\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Limit access to only trustworthy Web Users"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
    "assignerShortName": "Fortra",
    "cveId": "CVE-2024-11922",
    "datePublished": "2025-04-28T20:57:37.388Z",
    "dateReserved": "2024-11-27T18:20:19.664Z",
    "dateUpdated": "2025-04-28T22:27:53.032Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-11922\",\"sourceIdentifier\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"published\":\"2025-04-28T21:15:56.560\",\"lastModified\":\"2025-05-10T00:55:57.800\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email.\"},{\"lang\":\"es\",\"value\":\"La falta de validaci\u00f3n de entrada en ciertas funciones del cliente web de GoAnywhere de Fortra anterior a la versi\u00f3n 7.8.0 permite que un atacante con permiso para activar correos electr\u00f3nicos inserte HTML o JavaScript arbitrario en un correo electr\u00f3nico.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.8.0\",\"matchCriteriaId\":\"BD3F5A76-B606-456D-9B85-9C63D5953A41\"}]}]}],\"references\":[{\"url\":\"https://www.fortra.com/security/advisories/product-security/fi-2025-005\",\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-11922\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-28T22:27:45.719964Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-28T22:27:49.956Z\"}}], \"cna\": {\"title\": \"Input Validation vulnerability in Web Client emails that do not go through Secure Mail\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-63\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-63 Cross-Site Scripting (XSS)\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Fortra\", \"product\": \"GoAnywhere MFT\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.7.1\"}], \"platforms\": [\"Windows\", \"Linux\", \"64 bit\", \"iSeries\", \"IBM System P\", \"IBM z (Mainframe)\", \"UNIX\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to version 7.8.0\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade to version 7.8.0\", \"base64\": false}]}], \"datePublic\": \"2025-04-22T18:09:00.000Z\", \"references\": [{\"url\": \"https://www.fortra.com/security/advisories/product-security/fi-2025-005\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Limit access to only trustworthy Web Users\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgba(9, 30, 66, 0.055);\\\"\u003eLimit access to only trustworthy Web Users\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\\u00a0insert arbitrary HTML or JavaScript into an email.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u0026nbsp;insert arbitrary HTML or JavaScript into an email.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"shortName\": \"Fortra\", \"dateUpdated\": \"2025-04-28T20:57:37.388Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-11922\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-28T22:27:53.032Z\", \"dateReserved\": \"2024-11-27T18:20:19.664Z\", \"assignerOrgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"datePublished\": \"2025-04-28T20:57:37.388Z\", \"assignerShortName\": \"Fortra\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.