CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24366 – Insufficient sanitization of user provided rsync command in SFTPGo
https://notcve.org/view.php?id=CVE-2025-24366
07 Feb 2025 — SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to r... • https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52801 – Brute force takeover of OpenID Connect session cookies in sftpgo
https://notcve.org/view.php?id=CVE-2024-52801
29 Nov 2024 — sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure. This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings. All users ar... • https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52309 – SFTPGo allows administrators to restrict command execution from the EventManager
https://notcve.org/view.php?id=CVE-2024-52309
21 Nov 2024 — SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running... • https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37897 – Insufficient access control for password reset in sftpgo
https://notcve.org/view.php?id=CVE-2024-37897
20 Jun 2024 — SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a... • https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423 • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 67%CPEs: 79EXPL: 3CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
18 Dec 2023 — The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phas... • https://packetstorm.news/files/id/176280 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39220 – XSS Vulnerabilities in WebClient
https://notcve.org/view.php?id=CVE-2022-39220
20 Sep 2022 — SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are subject to Cross-site scripting (XSS) vulnerabilities in the SFTPGo WebClient, allowing remote attackers to inject malicious code. This issue is patched in version 2.3.5. No known workarounds exist. SFTPGo es un servidor SFTP escrito en Go. • https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36071 – Recovery codes abuse in SFTPGo
https://notcve.org/view.php?id=CVE-2022-36071
02 Sep 2022 — SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-fa... • https://github.com/drakkan/sftpgo/issues/965 • CWE-287: Improper Authentication CWE-916: Use of Password Hash With Insufficient Computational Effort •