CVE-2024-11922 - Vulnerability Details - OpenCVE

Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortra	Goanywhere Managed File Transfer

Configuration 1 [-]

cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.fortra.com/security/advisories/product-security/fi-2025-005

History

Sat, 10 May 2025 01:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortra Fortra goanywhere Managed File Transfer
CPEs		cpe:2.3:a:fortra:goanywhere_managed_file_transfer::::::::
Vendors & Products		Fortra Fortra goanywhere Managed File Transfer

Mon, 28 Apr 2025 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 28 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
Description		Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.
Title		Input Validation vulnerability in Web Client emails that do not go through Secure Mail
Weaknesses		CWE-79
References		https://www.fortra.com/security/advisories/product-security/fi-2025-005
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Fortra

Published: 2025-04-28T20:57:37.388Z

Updated: 2025-04-28T22:27:53.032Z

Reserved: 2024-11-27T18:20:19.664Z

Link: CVE-2024-11922

Vulnrichment

Updated: 2025-04-28T22:27:49.956Z

NVD

Status : Analyzed

Published: 2025-04-28T21:15:56.560

Modified: 2025-05-10T00:55:57.800

Link: CVE-2024-11922

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11922", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2024-11-27T18:20:19.664Z", "datePublished": "2025-04-28T20:57:37.388Z", "dateUpdated": "2025-04-28T22:27:53.032Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux", "64 bit", "iSeries", "IBM System P", "IBM z (Mainframe)", "UNIX"], "product": "GoAnywhere MFT", "vendor": "Fortra", "versions": [{"lessThanOrEqual": "7.7.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2025-04-22T18:09:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email."}], "value": "Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2025-04-28T20:57:37.388Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-005"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to version 7.8.0"}], "value": "Upgrade to version 7.8.0"}], "source": {"discovery": "EXTERNAL"}, "title": "Input Validation vulnerability in Web Client emails that do not go through Secure Mail", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.055);\">Limit access to only trustworthy Web Users</span>\n\n<br>"}], "value": "Limit access to only trustworthy Web Users"}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-28T22:27:45.719964Z", "id": "CVE-2024-11922", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-28T22:27:53.032Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11922", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-28T22:27:45.719964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-28T22:27:49.956Z"}}], "cna": {"title": "Input Validation vulnerability in Web Client emails that do not go through Secure Mail", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "7.7.1"}], "platforms": ["Windows", "Linux", "64 bit", "iSeries", "IBM System P", "IBM z (Mainframe)", "UNIX"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 7.8.0", "supportingMedia": [{"type": "text/html", "value": "Upgrade to version 7.8.0", "base64": false}]}], "datePublic": "2025-04-22T18:09:00.000Z", "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-005", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "Limit access to only trustworthy Web Users", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.055);\">Limit access to only trustworthy Web Users</span>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email.", "supportingMedia": [{"type": "text/html", "value": "Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2025-04-28T20:57:37.388Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11922", "state": "PUBLISHED", "dateUpdated": "2025-04-28T22:27:53.032Z", "dateReserved": "2024-11-27T18:20:19.664Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2025-04-28T20:57:37.388Z", "assignerShortName": "Fortra"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD3F5A76-B606-456D-9B85-9C63D5953A41", "versionEndExcluding": "7.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to\u00a0insert arbitrary HTML or JavaScript into an email."}, {"lang": "es", "value": "La falta de validaci\u00f3n de entrada en ciertas funciones del cliente web de GoAnywhere de Fortra anterior a la versi\u00f3n 7.8.0 permite que un atacante con permiso para activar correos electr\u00f3nicos inserte HTML o JavaScript arbitrario en un correo electr\u00f3nico."}], "id": "CVE-2024-11922", "lastModified": "2025-05-10T00:55:57.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-28T21:15:56.560", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-005"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}