Description
A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended.
References (3)
Core 3
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://www.goanywhere.com/support/advisory/68x
Release Notes, Vendor Advisory x_refsource_misc
https://www.goanywhere.com/support/release-notes/mft?limit=0
Permissions Required, Third Party Advisory x_refsource_misc
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
Scores
CVSS v3
6.5
EPSS
0.0083
EPSS Percentile
53.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
helpsystems/goanywhere_managed_file_transfer
< 6.8.3
Published
Jul 27, 2022
Tracked Since
Feb 18, 2026