CVE-2022-39220 MEDIUM

CVE-2022-39220: XSS Vulnerabilities in WebClient

Vendor Drakkan

Product sftpgo

Weakness CWE-79 · XSS

Published September 20, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are subject to Cross-site scripting (XSS) vulnerabilities in the SFTPGo WebClient, allowing remote attackers to inject malicious code. This issue is patched in version 2.3.5. No known workarounds exist.

Key dates

02Disclosure timeline

September 20, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-39220 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-2500 ColorMag <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name CVE-2025-64591 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-5513 quequnlong shiyi-blog add cross site scripting CVE-2024-29817 WordPress affiliate-toolkit – WordPress Affiliate Plugin plugin <= 3.4.5 - Cross Site Scripting (XSS) vulnerability CVE-2025-32961 CUBA JPA Web API Vulnerable to Cross-Site Scripting (XSS) in the /download Endpoint