CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3871 – Broken Access Control Leads to Limited Denial of Service in GoAnywhere MFT 7.8.0 and earlier
https://notcve.org/view.php?id=CVE-2025-3871
16 Jul 2025 — Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP. • https://www.fortra.com/security/advisories/product-security/FI-2025-009 • CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11922 – Input Validation vulnerability in Web Client emails that do not go through Secure Mail
https://notcve.org/view.php?id=CVE-2024-11922
28 Apr 2025 — Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. • https://www.fortra.com/security/advisories/product-security/fi-2025-005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9945 – Limited Information Disclosure in GoAnywhere MFT Prior to 7.7.0
https://notcve.org/view.php?id=CVE-2024-9945
13 Dec 2024 — An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. • https://www.fortra.com/security/advisories/product-security/fi-2024-014 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-425: Direct Request ('Forced Browsing') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25157 – Authentication bypass in GoAnywhere MFT prior to 7.6.0
https://notcve.org/view.php?id=CVE-2024-25157
14 Aug 2024 — An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification. • https://www.fortra.com/security/advisories/product-security/fi-2024-009 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25156 – Path traversal in GoAnywhere MFT 7.4.1 and Earlier
https://notcve.org/view.php?id=CVE-2024-25156
14 Mar 2024 — A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. Existe una vulnerabilidad de path traversal en GoAnywhere MFT anterior a 7.4.2 que permite a los atacantes eludir las comprobaciones de permisos específicos de los terminales en GoAnywhere Admin y Web Clients. • https://www.fortra.com/security/advisory/fi-2024-004 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •