📄 GoAnywhere MFT 7.9.1 HTML Injection

-----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    # GoAnywhere MFT Email HTML Injection #
    
    Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection
    
    ## Vulnerability Overview ##
    
    GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability
    in its email templating functionality. If an attacker is able to influence
    the content of a template variable, malicious HTML can be embedded into
    outgoing emails generated by the application. As these messages originate
    from a trusted system, the vulnerability may facilitate phishing and other
    social-engineering attacks. The issue arises from insufficient HTML encoding
    of untrusted input before inclusion in HTML email content.
    
    * **Identifier**            : SBA-ADV-20251120-01
    * **Type of Vulnerability** : HTML Injection
    * **Software/Product Name** : [GoAnywhere MFT](https://www.goanywhere.com/products/goanywhere-mft)
    * **Vendor**                : [Fortra](https://www.fortra.com/)
    * **Affected Versions**     : <= 7.9.1
    * **Fixed in Version**      : 7.10.0
    * **CVE ID**                : CVE-2026-0972
    * **CVSS Vector**           : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    * **CVSS Base Score**       : 5.4 (Medium)
    
    ## Vendor Description ##
    
    > GoAnywhere Managed File Transfer is a comprehensive managed file transfer
    > solution that will manage your organization’s file transfer software,
    > file sharing, secure FTP, and automation needs through a single interface.
    
    Source: <https://www.goanywhere.com/products/goanywhere-mft>
    
    ## Impact ##
    
    Attackers can abuse the email templating functionality by injecting
    malicious content into template variables, resulting in HTML injection in
    outgoing emails.
    
    ## Vulnerability Description ##
    
    It is possible to manipulate HTML emails generated via the "Send Email"
    functionality if an attacker is able to control the content of a template
    variable. User-supplied data inserted into the email body is not properly
    HTML-encoded, and there is no option to enforce encoding for variables
    during email template configuration.
    
    ![Send Email Configuration](images/send_email_configuration.png)
    
    As a result, an attacker can inject arbitrary HTML content into outgoing
    emails. Since these emails are sent by the legitimate mail server and
    therefore appear to originate from a trusted sender, recipients are more
    likely to trust their contents. An attacker could, for example, insert links
    that redirect users to a phishing website designed to capture credentials
    or other sensitive information, or to deliver further malicious content.
    
    This vulnerability can therefore be used to conduct effective phishing or
    social engineering attacks leveraging the trust relationship between the
    application and its users.
    
    ## Proof of Concept ##
    
    1. Configure an "Upload Successful" trigger: Set up an automation rule or
    workflow that is triggered whenever a user uploads a file in the application
    [1]. This trigger should fire on each successful upload and proceed to
    execute the subsequent action.
    
    2. Attach the "Send Email" functionality to the trigger: Add a "Send
    Email" action that is executed whenever the "Upload Successful" trigger
    fires. Configure this action to send an HTML email to an internal recipient
    (for example, a support or operations mailbox) to notify them that a new
    file has been uploaded. [2]
    
    3. Include the uploaded filename as a variable in the email template:
    In the HTML email template, insert the variable representing the uploaded
    filename into the email body, for example: A new file has been uploaded:
    ${VARIABLE_NAME}. The email will then be sent automatically to the internal
    recipient whenever a file is uploaded.
    
    4. Upload a file with HTML special characters in the filename: Upload a file
    whose filename contains HTML markup instead of a normal, benign filename. For
    instance:
    `Please enter your password here: <a href='evil.site'>evil.site<a>.jpg`.
    Because the filename is treated as data but inserted directly into
    the HTML email without encoding, the HTML tags are preserved as-is.
    
    5. Observe the manipulated HTML content in the received confirmation
    email: When the internal recipient receives the confirmation email, the
    filename variable will be rendered as part of the HTML content. Instead of
    displaying the raw text of the filename, the email client interprets the
    injected HTML: the phishing link appears as a clickable hyperlink. This
    demonstrates that attacker-controlled input can manipulate the structure
    and content of outgoing HTML emails, enabling the injection of malicious
    links and other HTML elements into messages that appear to come from a
    trusted internal system.
    
    ## Recommended Countermeasures ##
    
    We recommend updating to GoAnywhere MFT version 7.10.0 or later.
    
    GoAnywhere MFT should not allow unencoded HTML special characters from
    user provided sources in email output and instead apply correct encoding
    according to the output context. For example, when displaying the content
    within an HTML email, HTML encoding must be performed before the untrusted
    data is displayed.
    
    ## Timeline ##
    
    * `2025-10-19` Identified the vulnerability in version 7.8.3 Build 7
    * `2025-12-01` First contact with Fortra support team
    * `2025-12-12` Disclosed vulnerability to Fortra support team and started
                   our 90 day disclosure timeline
    * `2026-01-20` Vulnerability was assigned CVE-2026-0972 by Fortra
    * `2026-03-18` Disclosure timeline extended due to promised fix
                   with release 7.10 at the end of March
    * `2026-04-07` Disclosure timeline extended again due to delayed release
    * `2026-04-20` Fortra published a fix with release 7.10
    * `2026-04-23` Public disclosure
    
    ## References ##
    
    1. GoAnywhere MFT Triggers:
       <https://www.goanywhere.com/products/goanywhere-mft/automation/triggers>
    2. GoAnywhere MFT Email Connectivity:
       <https://www.goanywhere.com/products/goanywhere-mft/connectivity/email>
    3. Vendor Security Advisory:
       <https://www.fortra.com/security/advisories/product-security/fi-2026-006>
    
    ## Credits ##
    
    * Philipp Schweinzer ([SBA Research](https://www.sba-research.org/))
    
    The discovery of this vulnerability was made possible through support from
    [CYSSDE](https://cyssde.eu/) and the European Union.
    
    ![CYSSDE](images/cyssde.png)
    -----BEGIN PGP SIGNATURE-----
    
    iQJPBAEBCAA5FiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmnqfbcbFIAAAAAABAAO
    bWFudTIsMi41KzEuMTIsMiwxAAoJEPu4hi9Y93WyzUwP/R71yiNhsJF2yZMNqxEx
    wPSH2FKSSMC2AU+nV7ukYpbfK0APhq/8NLOXG6jXpmXH1F5pmWvoPdVQeGQinqef
    dGH19oe7Wd+lhBEK5icO10L6NNEGyxy+gev21Kbykf6+wrMzJz+ICjpyMBdi/4zV
    YaiIlprrtCtTylSTBUMV9fXqcj1HKWWtWTDObXI9JgvGh4IfYzNrV6AgfGv6GvIJ
    gSKHSmVvCmd1WWQMA/JiuEBCpgCeJIXcApKK+vuxmduh4fGRnpcWc0LxCb82ny+O
    /qOdYOt+nSvwEttVBARYS1d+uMYfLiiWYNZD3g84o8VAaelR9AT9NeCkOUPhEGAd
    xbM9A+Y46HqdPt0mJQ81bPi938r6Xruvg3rAw4JoQSV8/VCtzWmicIiLsVZJNRdb
    CVDgCX8tg8gpMlzcssmnNUrpsBolb3ovxiBVj1SXfi1c/ln6FWbvnnjNYBmkWPSg
    QUK/m7ZgKFuNCqf6z8gBK7jOtK2Bv7OiMZ4s+gVEuNRYFFZOoQn9DtnWgAUcSbI5
    3l0I56qPNgWqWUG3AwnP6P24x/6qjOn3jyLo5CKONd1NeGyIe1XL44Xh6I2B5hou
    C4qkUGB67wNS/wQwDUuEdlo62TLGnd48N9dG8VGzw+AI9DBR0DXjFvvlLfz5cQ5q
    xg2FGsgh2xDnCa3KBno+0HOr
    =2+hu
    -----END PGP SIGNATURE-----