A security flaw has been identified in Biscom’s Secure File Transfer product that affects versions 5.0 through 5.1.1024. A fix is available in version 5.1.1025. 

Issue summary:  

An authenticated SFT user with access to create and edit workspaces may run malicious java script within the browser of visitors to a specified workspace.  The attacker must be an authenticated user on the SFT instance.  

Systems that do not use workspaces are not vulnerable but should still be upgraded. 

Technical Details 

The SFT vulnerability only affects customers using the workspace feature and requires an authenticated user to exploit. 

The exploit on affected versions is accomplished by first authenticating to the SFT server and then performing one of the following actions: 

1.    Entering Javascript into the name or description fields of a workspace in order to execute within the workspace browser session 

2.    Entering Javascript into the file description field within a workspace in order to execute within the workspace browser session 

Editing the vulnerable fields is limited to authenticated users with the Manager or Collaborator roles within a workspace.  

This vulnerability was discovered during security testing and there are no known cases of it being exploited outside of the security test that discovered it. 

Fix Details 

Starting with version 5.1.1025 the SFT Server no longer treats these fields as HTML and will not execute scripts.