CVE-2024-0204

EUVD-2024-16003
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Forced Browsing
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
FortraCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
fortragoanywhere_managed_file_transfer
7.0.0 ≤
𝑥
< 7.4.1
fortragoanywhere_managed_file_transfer
6.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
https://www.fortra.com/security/advisory/fi-2024-001
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
https://www.fortra.com/security/advisory/fi-2024-001