CVE-2017-5246

MEDIUM

Biscom Secure File Transfer <5.1.1026 - Code Injection

Title source: llm

Description

Biscom Secure File Transfer is vulnerable to AngularJS expression injection in the Display Name field. An authenticated user can populate this field with a valid AngularJS expression, wrapped in double curly-braces ({{ }}). This expression will be evaluated by any other authenticated user who views the attacker's display name. Affected versions are 5.0.0000 through 5.1.1026. The Issue is fixed in 5.1.1028.

References (2)

[Various Sources] https://cve.biscom.com/bis-sft-cv-0004/

[Third Party Advisory] https://twitter.com/i_bo0om/status/885050741567750145

Scores

CVSS v3 4.3

EPSS 0.0028

EPSS Percentile 51.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-74

Status published

Products (2)

biscom/secure_file_transfer

Biscom/Secure File Transfer < 5.0.0000 through 5.1.1026

Published Jul 18, 2017

Tracked Since Feb 18, 2026