CVE-2024-11922: 
GoAnywhere MFT vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was identified in Fortra's GoAnywhere Web Client prior to version 7.8.0. The vulnerability (CVE-2024-11922) was discovered on November 25, 2024, and publicly disclosed on April 28, 2025. The vulnerability affects the email functionality of the Web Client component, specifically in features that do not go through Secure Mail (Fortra Advisory).

The vulnerability stems from missing input validation in certain features of the Web Client, which allows an attacker with permission to trigger emails to insert arbitrary HTML or JavaScript into an email. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. It is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD, Fortra Advisory).

The vulnerability could lead to a cross-site scripting attack by a malicious user, potentially compromising the confidentiality, integrity, and availability of the affected system, each at a low level as indicated by the CVSS score (Fortra Advisory).

Two mitigation options are available: 1) Limit access to only trustworthy Web Users as a temporary workaround, and 2) Upgrade to GoAnywhere MFT version 7.8.0 or later for a permanent fix (Fortra Advisory).