A security flaw has been identified in Biscom’s Secure File Transfer product that affects versions 5.0 through 5.1.1024. A fix is available in version 5.1.1025.
An authenticated SFT user with access to create and edit workspaces may run malicious java script within the browser of visitors to a specified workspace. The attacker must be an authenticated user on the SFT instance.
Systems that do not use workspaces are not vulnerable but should still be upgraded.
The SFT vulnerability only affects customers using the workspace feature and requires an authenticated user to exploit.
The exploit on affected versions is accomplished by first authenticating to the SFT server and then performing one of the following actions:
Editing the vulnerable fields is limited to authenticated users with the Manager or Collaborator roles within a workspace.
This vulnerability was discovered during security testing and there are no known cases of it being exploited outside of the security test that discovered it.
Starting with version 5.1.1025 the SFT Server no longer treats these fields as HTML and will not execute scripts.