FKIE_CVE-2024-11922

Vulnerability from fkie_nvd - Published: 2025-04-28 21:15 - Updated: 2025-05-10 00:55
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.
References
df4dee71-de3a-4139-9588-11b62fe6c0ffhttps://www.fortra.com/security/advisories/product-security/fi-2025-005Vendor Advisory
Impacted products
Vendor Product Version
fortra goanywhere_managed_file_transfer *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD3F5A76-B606-456D-9B85-9C63D5953A41",
              "versionEndExcluding": "7.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Missing input validation in certain features of the Web Client of Fortra\u0027s GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email."
    },
    {
      "lang": "es",
      "value": "La falta de validaci\u00f3n de entrada en ciertas funciones del cliente web de GoAnywhere de Fortra anterior a la versi\u00f3n 7.8.0 permite que un atacante con permiso para activar correos electr\u00f3nicos inserte HTML o JavaScript arbitrario en un correo electr\u00f3nico."
    }
  ],
  "id": "CVE-2024-11922",
  "lastModified": "2025-05-10T00:55:57.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-04-28T21:15:56.560",
  "references": [
    {
      "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-005"
    }
  ],
  "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.