A security flaw has been found in Biscom’s Secure File Transfer product that affects the following versions:
All versions up to 5.1.1058
The fix version is SFT 5.1.1061.
It is recommended that all affected versions of SFT be upgraded immediately.
SFT is vulnerable to a combination of a Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attack on certain pages.
The vulnerability cannot be exploited by anonymous users visiting the site. A malicious user would have to have been granted access to the site with enough rights to compose messages or replies.
A malicious user could insert script code into message body fields to exploit CSRF vulnerabilities. The SFT application is built with protections against CSRF attacks, however certain pages in the application were identified that could be called in such a way to execute actions on users, deliveries, packages, and workspaces. The target of this attack can only affect objects they already have rights to modify (For example a user cannot delete packages he is not an owner or manager of).
The vulnerability to CSRF attacks on the affected pages has been remediated by implementing CSRF tokens to prevent attacks.
Checking for script tags has been added to affected input fields to remove dangerous code. This sanitation is performed when data is saved to prevent new attacks and when existing data is loaded to protect against any script code that may have been entered prior to version 5.1.1061