CVE-2022-39220

2022-09-2022:15:10

CWE-79

[email protected]

web.nvd.nist.gov

sftpgo

sftp server

cross-site scripting

xss

vulnerability

patch

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

42.6%

JSON

SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are subject to Cross-site scripting (XSS) vulnerabilities in the SFTPGo WebClient, allowing remote attackers to inject malicious code. This issue is patched in version 2.3.5. No known workarounds exist.

Affected configurations

Vulners

NVD

Node

drakkansftpgoRange<2.3.5

CPENameOperatorVersion
sftpgo_project:sftpgosftpgo project sftpgolt2.3.5

CPE	Name	Operator	Version
sftpgo_project:sftpgo	sftpgo project sftpgo	lt	2.3.5

CNA Affected

[
  {
    "product": "sftpgo",
    "vendor": "drakkan",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.3.5"
      }
    ]
  }
]