CVE-2022-39220 SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are vulnerable to Cross-site scripting (XSS) attacks due to a WebClient bug. An update is available.

SFTPGo is susceptible to Cross-site scripting (XSS) vulnerabilities in the WebClient component. According to the vendor, these vulnerabilities have been fixed in version 2.3.5. No known workarounds exist. SFTPGo is susceptible to Cross-site scripting (XSS) vulnerabilities in the WebClient component. According to the vendor, these vulnerabilities have been fixed in version 2.3.5. No known workarounds exist. SFTPGo is an open source SFTP server. SFTPGo allows users to connect via SSH to an FTP server, or via an HTTP link to an FTP server, or via a local path to an FTP server.

Summary

SFTPGo is a free and open source SFTP server that allows users to connect via SSH to an FTP server, or via an HTTP link to an FTP server, or via a local path to an FTP server. This vulnerability has been fixed in version 2.3.5. There are currently no known workarounds for this vulnerability.
The vulnerability exists in the WebClient component of SFTPGo and is caused by a cross-site scripting flaw in which input passed from one page to another can cause arbitrary script injection into the page's HTML response.

Summary

SFTPGo is an open source SFTP server. SFTPGo allows users to connect via SSH to an FTP server, or via an HTTP link to an FTP server, or via a local path to an FTP server. This software was tested on Ubuntu 16.04 Xenial Xerus running PHP 7.2 and Apache 2.4.7 and found vulnerable to CVE-2022-39220 in the WebClient component which has been fixed in version 2.3.5

If you want to grow your business, great search engine optimization (SEO) is a must. The challenge? Many small businesses don’t have the time, skills, or expertise necessary to handle everything that comes with a solid SEO strategy. From keyword research to content evaluation, from page optimization to internal linking, it’s easy for companies to end up with a generic web presence that doesn’t inspire engagement or drive conversions.
Outsourcing SEO can be a good idea as it provides a way for brands to identify key strategic goals and then leave the complex process of meeting those goals to industry experts.

Fixed in version 2.3.5

1.1 Overview

According to the CVE-2022-39220, SFTPGo has a cross site scripting (XSS) vulnerability in the WebClient component. This allows for an attacker to inject Javascript code into a victim's browser window. The attacker's code will run when the victim visits a page that contains the vulnerable script.
The vendor of SFTPGo, SSH Communications Security Ltd., reports that these vulnerabilities have been fixed in version 2.3.5 of their product.

Timeline

Published on: 09/20/2022 22:15:00 UTC
Last modified on: 09/22/2022 14:12:00 UTC

References

• https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39220