CVE-2024-11922 MEDIUM

CVE-2024-11922: Input Validation vulnerability in Web Client emails that do not go through Secure Mail

Vendor Fortra

Product GoAnywhere MFT

Weakness CWE-79 · XSS

Published April 28, 2025

Last update April 28, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Missing input validation in certain features of the Web Client of Fortra's GoAnywhere prior to version 7.8.0 allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email.

Key dates

02Disclosure timeline

April 28, 2025 CVE published

April 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-11922 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2021-24372 WP Hardening < 1.2.2 - Reflected XSS via URI CVE-2025-46491 WordPress Multi-Column Taxonomy List plugin <= 1.5 - Cross Site Scripting (XSS) Vulnerability CVE-2025-23987 WordPress Designer plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability CVE-2024-1074 Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget CVE-2025-1577 code-projects Blood Bank System prostatus.php cross site scripting