CVEs affecting projects tracked on Release Alert, from NVD & OSV.
CVE-2022-39220 — MEDIUM severity vulnerability | Release Alert
CVE-2022-39220
6.1
MEDIUMCVSS v3
Published
September 20, 2022
Affected
2 projects
Assigned by
GitHub
Severity scale
010
Description
SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are subject to Cross-site scripting (XSS) vulnerabilities in the SFTPGo WebClient, allowing remote attackers to inject malicious code. This issue is patched in version 2.3.5. No known workarounds exist.
ChocolateySFTPGo allows you to securely share your files over SFTP and optionally over HTTP/S, FTP/S and WebDAV as well.
Several storage backends are supported and they are configurable per-user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.
SFTPGo also supports virtual folders. A virtual folder can use any of the supported storage backends. So you can have, for example, a user with the S3 backend mapping a GCS bucket (or part of it) on a specified path and an encrypted local filesystem on another one. Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.
SFTPGo allows to create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
SFTPGo is highly customizable and extensible to suit your needs.
You can find more info [here](https://docs.sftpgo.com/latest/).
### Notes
* This package installs SFTPGo as Windows Service.
* After the first installation please take a look at the [Getting Started Guide](https://docs.sftpgo.com/2.7/initial-configuration/).