CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3871 – Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT 7.8.0 and earlier
https://notcve.org/view.php?id=CVE-2025-3871
16 Jul 2025 — Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP. • https://www.fortra.com/security/advisories/product-security/FI-2025-009 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-5141 – Core Privileged Access Manager (BoKS) Leakage of Sensitive Data via the Cache
https://notcve.org/view.php?id=CVE-2025-5141
17 Jun 2025 — A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and Solaris allows low privilege local users to dump data from the cache. • https://www.cve.org/cverecord?id=CVE-2025-5141 • CWE-524: Use of Cache Containing Sensitive Information •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11922 – Input Validation vulnerability in Web Client emails that do not go through Secure Mail
https://notcve.org/view.php?id=CVE-2024-11922
28 Apr 2025 — Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. • https://www.fortra.com/security/advisories/product-security/fi-2025-005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0049 – Disclosure of sensitive information in an error message in GoAnywhere prior to version 7.8.0
https://notcve.org/view.php?id=CVE-2025-0049
28 Apr 2025 — When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0. When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0... • https://www.fortra.com/security/advisories/product-security/fi-2025-004 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11923 – Sensitive Information Disclosure in Fortra Application Hub Prior to version 1.3
https://notcve.org/view.php?id=CVE-2024-11923
17 Jan 2025 — Under certain log settings the IAM or CORE service will log credentials in the iam logfile in Fortra Application Hub (Formerly named Helpsystems One) prior to version 1.3 Under certain log settings the IAM or CORE service will log credentials in the iam logfile in Fortra Application Hub (Formerly named Helpsystems One) prior to version 1.3 • https://www.fortra.com/security/advisories/product-security/fi-2025-003 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9945 – Limited Information Disclosure in GoAnywhere MFT Prior to 7.7.0
https://notcve.org/view.php?id=CVE-2024-9945
13 Dec 2024 — An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. • https://www.fortra.com/security/advisories/product-security/fi-2024-014 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-425: Direct Request ('Forced Browsing') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3334 – USB Security Feature Bypass in Digital Guardian Windows Agent Prior to version 8.2.0
https://notcve.org/view.php?id=CVE-2024-3334
15 Nov 2024 — A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. This allows a user to circumvent encryption controls by modifying metadata on the USB device thereby compromising the confidentiality of the stored data. • https://support.fortra.com/endpoint-dlp/kb-articles/dg-support-notice-security-bypass-vulnerability-with-rme-MTQwYTM5NTctZDk4Ny1lZjExLWFjMjEtNjA0NWJkMDFhMzQ3 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8264 – Sensitive information in agent log file when detailed logging is enabled with Robot Schedule Enterprise prior to version 3.05
https://notcve.org/view.php?id=CVE-2024-8264
09 Oct 2024 — Fortra's Robot Schedule Enterprise Agent prior to version 3.05 writes FTP username and password information to the agent log file when detailed logging is enabled. • https://hstechdocs.helpsystems.com/releasenotes/Content/_ProductPages/Robot/RobotScheduleEnterprise.htm • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6632 – SQL Injection in FileCatalyst Workflow 5.1.6 Build 139 (and earlier)
https://notcve.org/view.php?id=CVE-2024-6632
27 Aug 2024 — A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability. • https://www.fortra.com/security/advisories/product-security/fi-2024-010 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6633 – Insecure Default in FileCatalyst Workflow 5.1.6 Build 139 (and earlier)
https://notcve.org/view.php?id=CVE-2024-6633
27 Aug 2024 — The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulner... • https://www.fortra.com/security/advisories/product-security/fi-2024-011 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •