CVE-2024-11922
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Fortra's GoAnywhere web client allows authenticated attackers with email triggering permissions to inject malicious HTML or JavaScript into emails. The vulnerability affects GoAnywhere versions prior to 7.8.0, potentially enabling phishing attacks or session hijacking against email recipients.
💻 Affected Systems
- Fortra GoAnywhere MFT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, leading to session hijacking, credential theft, or malware delivery through seemingly legitimate emails from the GoAnywhere system.
Likely Case
Attackers craft convincing phishing emails that appear legitimate, tricking recipients into revealing credentials or downloading malicious content, potentially leading to further system compromise.
If Mitigated
With proper email security controls and user awareness training, impact is limited to potential phishing attempts that can be detected and blocked.
🎯 Exploit Status
Exploitation requires authenticated access with email triggering permissions, making it accessible to malicious insiders or compromised accounts
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.8.0
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2025-005
Restart Required: Yes
Instructions:
1. Download GoAnywhere version 7.8.0 or later from Fortra support portal. 2. Backup current installation and configuration. 3. Apply the update following Fortra's upgrade documentation. 4. Restart GoAnywhere services.
🔧 Temporary Workarounds
Restrict Email Triggering Permissions
allLimit which users have permission to trigger emails in GoAnywhere to only essential personnel
Implement Email Content Filtering
allDeploy email security solutions that filter HTML and JavaScript content in outgoing emails
🧯 If You Can't Patch
- Implement strict least-privilege access controls for email triggering functionality
- Deploy email security gateways that scan for malicious HTML/JavaScript in outgoing emails
🔍 How to Verify
Check if Vulnerable:
Check GoAnywhere version in web interface under Help > About or via command line: java -jar goanywhere.jar --versionCheck Version:
java -jar goanywhere.jar --versionVerify Fix Applied:
Verify version is 7.8.0 or higher and test email functionality with HTML/JavaScript input to confirm sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual email triggering activity
- Multiple email triggers from single user in short timeframe
- Emails with suspicious HTML/JavaScript content
Network Indicators:
- Outgoing emails containing script tags or unusual HTML attributes from GoAnywhere server
SIEM Query:
source="goanywhere" AND (event="email_trigger" OR event="send_email") AND (content="<script" OR content="javascript:")