Description
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Fortra / GoAnywhere MFT6.0.1 – 7.4.1
Exploits & proofs of concept
- nucleiFortra GoAnywhere MFT - Authentication Bypassby DhiyaneshDK
References
- MISChttps://www.fortra.com/security/advisory/fi-2024-001
- VENDOR_ADVISORYhttps://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
- EXPLOIThttp://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
- EXPLOIThttp://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
Updated 15m ago · 2 sources