CVE-2017-5246

MEDIUM

Biscom Secure File Transfer <5.1.1026 - Code Injection

Title source: llm
STIX 2.1

Description

Biscom Secure File Transfer is vulnerable to AngularJS expression injection in the Display Name field. An authenticated user can populate this field with a valid AngularJS expression, wrapped in double curly-braces ({{ }}). This expression will be evaluated by any other authenticated user who views the attacker's display name. Affected versions are 5.0.0000 through 5.1.1026. The Issue is fixed in 5.1.1028.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://twitter.com/i_bo0om/status/885050741567750145
Various Sources x_refsource_confirm
https://cve.biscom.com/bis-sft-cv-0004/

Scores

CVSS v3 4.3
EPSS 0.0060
EPSS Percentile 44.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-74
Status published
Products (2)
Biscom/Secure File Transfer 5.0.0000 through 5.1.1026
biscom/secure_file_transfer
Published Jul 18, 2017
Tracked Since Feb 18, 2026