CVE-2024-0204 – Authentication Bypass in GoAnywhere MFT
https://notcve.org/view.php?id=CVE-2024-0204
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. La omisión de autenticación en GoAnywhere MFT de Fortra anterior a 7.4.1 permite a un usuario no autorizado crear un usuario administrador a través del portal de administración. • https://github.com/horizon3ai/CVE-2024-0204 https://github.com/m-cetin/CVE-2024-0204 https://github.com/cbeek-r7/CVE-2024-0204 https://github.com/adminlove520/CVE-2024-0204 http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml https://www.fortra.com/security/advisory/fi-2024-001 https://www.horizon3& • CWE-425: Direct Request ('Forced Browsing') •
CVE-2023-0669 – Fortra GoAnywhere MFT Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-0669
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2. Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability. Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object. • https://www.exploit-db.com/exploits/51339 https://github.com/Avento/CVE-2023-0669 https://github.com/0xf4n9x/CVE-2023-0669 https://github.com/yosef0x01/CVE-2023-0669-Analysis https://github.com/cataliniovita/CVE-2023-0669 http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft https:/ • CWE-502: Deserialization of Untrusted Data •
CVE-2021-46830
https://notcve.org/view.php?id=CVE-2021-46830
A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended. Se presenta una vulnerabilidad de salto de ruta en GoAnywhere MFT versiones anteriores a 6.8.3, que usa el autorregistro para el cliente web de GoAnywhere. Esta vulnerabilidad podría permitir que un usuario externo que sea auto-registrado con un nombre de usuario específico y/o información de perfil obtenga acceso a archivos en un nivel de directorio más alto que el previsto • https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml https://www.goanywhere.com/support/advisory/68x https://www.goanywhere.com/support/release-notes/mft?limit=0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •