CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24366 – Insufficient sanitization of user provided rsync command in SFTPGo
https://notcve.org/view.php?id=CVE-2025-24366
07 Feb 2025 — SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to r... • https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52801 – Brute force takeover of OpenID Connect session cookies in sftpgo
https://notcve.org/view.php?id=CVE-2024-52801
29 Nov 2024 — sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure. This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings. All users ar... • https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52309 – SFTPGo allows administrators to restrict command execution from the EventManager
https://notcve.org/view.php?id=CVE-2024-52309
21 Nov 2024 — SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running... • https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37897 – Insufficient access control for password reset in sftpgo
https://notcve.org/view.php?id=CVE-2024-37897
20 Jun 2024 — SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a... • https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423 • CWE-287: Improper Authentication •