Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insufficient access control for password reset in sftpgo
Vulnerability Description
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
SFTPGo 安全漏洞
Vulnerability Description
SFTPGo是意大利Nicola Murino个人开发者的一个功能齐全且高度可配置的 SFTP 服务器。 SFTPGo v2.2.0 到 v2.6.1版本存在安全漏洞,该漏洞源于SFTPGo WebAdmin 和 WebClient 支持密码重置,如果启用该功能,即使有访问限制(例如已过期)的用户也可以重置密码并登录。
CVSS Information
N/A
Vulnerability Type
N/A