CVE-2024-0204

🗓️ 22 Jan 2024 18:05:13Reported by FortraType

cve🔗 web.nvd.nist.gov📰️ 10 Media mentions👁 162 Views🌐 WEB

CVE-2024-0204: Authentication bypass in Fortra's GoAnywhere MF

Reporter	Title	Published	Views	Family All 32
GithubExploit	Exploit for Forced Browsing in Fortra Goanywhere_Managed_File_Transfer	4 Feb 202401:40	–	githubexploit
GithubExploit	Exploit for Forced Browsing in Fortra Goanywhere_Managed_File_Transfer	24 Jan 202420:10	–	githubexploit
GithubExploit	Exploit for Forced Browsing in Fortra Goanywhere_Managed_File_Transfer	23 Jan 202420:16	–	githubexploit
GithubExploit	Exploit for Forced Browsing in Fortra Goanywhere_Managed_File_Transfer	23 Jan 202422:42	–	githubexploit
BDU FSTEC	The vulnerability of the Fortra (HelpSystems) GoAnywhere MFT application for secure file transfer, related to security mechanism errors, allows attackers to escalate their privileges.	24 Jan 202400:00	–	bdu_fstec
Circl	CVE-2024-0204	22 Jan 202419:22	–	circl
CNNVD	Fortra GoAnywhere MFT Security Vulnerability	22 Jan 202400:00	–	cnnvd
Cvelist	CVE-2024-0204 Authentication Bypass in GoAnywhere MFT	22 Jan 202418:05	–	cvelist
Exploit DB	Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass	29 May 202500:00	–	exploitdb
Tenable Nessus	Fortra GoAnywhere Managed File Transfer (MFT) < 7.4.1 Authentication Bypass (CVE-2024-0204)	23 Jan 202400:00	–	nessus

NVD

Node

fortra goanywhere_managed_file_transferRange7.0.0–7.4.1

fortra goanywhere_managed_file_transferMatch6.0.0

[
  {
    "defaultStatus": "affected",
    "product": "GoAnywhere MFT",
    "vendor": "Fortra",
    "versions": [
      {
        "lessThan": "7.4.1",
        "status": "affected",
        "version": "6.0.1",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
fortra	www.fortra.com/security/advisory/fi-2024-001
packetstormsecurity	www.packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
my	www.my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
packetstormsecurity	www.packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html

Parameter	Position	Path	Description	CWE
j_id_u:creteAdminGrid:username	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:password_hinput	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:password	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:confirmPassword_hinput	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:confirmPassword	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
createAdminForm_SUBMIT	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
javax.faces.ViewState	path	/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:username	path	/goanywhere/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:password_hinput	path	/goanywhere/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425
j_id_u:creteAdminGrid:password	path	/goanywhere/..;/wizard/InitialAccountSetup.xhtml	Path traversal leading to initial account setup allowing admin creation (CVE-2024-0204)	CWE-425