Full Disclosure mailing list archives

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# GoAnywhere MFT Email HTML Injection #

Link: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251120-01_GoAnywhere_MFT_Email_HTML_Injection

## Vulnerability Overview ##

GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability
in its email templating functionality. If an attacker is able to influence
the content of a template variable, malicious HTML can be embedded into
outgoing emails generated by the application. As these messages originate
from a trusted system, the vulnerability may facilitate phishing and other
social-engineering attacks. The issue arises from insufficient HTML encoding
of untrusted input before inclusion in HTML email content.

* **Identifier**            : SBA-ADV-20251120-01
* **Type of Vulnerability** : HTML Injection
* **Software/Product Name** : [GoAnywhere MFT](https://www.goanywhere.com/products/goanywhere-mft)
* **Vendor**                : [Fortra](https://www.fortra.com/)
* **Affected Versions**     : <= 7.9.1
* **Fixed in Version**      : 7.10.0
* **CVE ID**                : CVE-2026-0972
* **CVSS Vector**           : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
* **CVSS Base Score**       : 5.4 (Medium)

## Vendor Description ##

GoAnywhere Managed File Transfer is a comprehensive managed file transfer
solution that will manage your organization’s file transfer software,
file sharing, secure FTP, and automation needs through a single interface.

Source: <https://www.goanywhere.com/products/goanywhere-mft>

## Impact ##

Attackers can abuse the email templating functionality by injecting
malicious content into template variables, resulting in HTML injection in
outgoing emails.

## Vulnerability Description ##

It is possible to manipulate HTML emails generated via the "Send Email"
functionality if an attacker is able to control the content of a template
variable. User-supplied data inserted into the email body is not properly
HTML-encoded, and there is no option to enforce encoding for variables
during email template configuration.

![Send Email Configuration](images/send_email_configuration.png)

As a result, an attacker can inject arbitrary HTML content into outgoing
emails. Since these emails are sent by the legitimate mail server and
therefore appear to originate from a trusted sender, recipients are more
likely to trust their contents. An attacker could, for example, insert links
that redirect users to a phishing website designed to capture credentials
or other sensitive information, or to deliver further malicious content.

This vulnerability can therefore be used to conduct effective phishing or
social engineering attacks leveraging the trust relationship between the
application and its users.

## Proof of Concept ##

1. Configure an "Upload Successful" trigger: Set up an automation rule or
workflow that is triggered whenever a user uploads a file in the application
[1]. This trigger should fire on each successful upload and proceed to
execute the subsequent action.

2. Attach the "Send Email" functionality to the trigger: Add a "Send
Email" action that is executed whenever the "Upload Successful" trigger
fires. Configure this action to send an HTML email to an internal recipient
(for example, a support or operations mailbox) to notify them that a new
file has been uploaded. [2]

3. Include the uploaded filename as a variable in the email template:
In the HTML email template, insert the variable representing the uploaded
filename into the email body, for example: A new file has been uploaded:
${VARIABLE_NAME}. The email will then be sent automatically to the internal
recipient whenever a file is uploaded.

4. Upload a file with HTML special characters in the filename: Upload a file
whose filename contains HTML markup instead of a normal, benign filename. For
instance:
`Please enter your password here: <a href='evil.site'>evil.site<a>.jpg`.
Because the filename is treated as data but inserted directly into
the HTML email without encoding, the HTML tags are preserved as-is.

5. Observe the manipulated HTML content in the received confirmation
email: When the internal recipient receives the confirmation email, the
filename variable will be rendered as part of the HTML content. Instead of
displaying the raw text of the filename, the email client interprets the
injected HTML: the phishing link appears as a clickable hyperlink. This
demonstrates that attacker-controlled input can manipulate the structure
and content of outgoing HTML emails, enabling the injection of malicious
links and other HTML elements into messages that appear to come from a
trusted internal system.

## Recommended Countermeasures ##

We recommend updating to GoAnywhere MFT version 7.10.0 or later.

GoAnywhere MFT should not allow unencoded HTML special characters from
user provided sources in email output and instead apply correct encoding
according to the output context. For example, when displaying the content
within an HTML email, HTML encoding must be performed before the untrusted
data is displayed.

## Timeline ##

* `2025-10-19` Identified the vulnerability in version 7.8.3 Build 7
* `2025-12-01` First contact with Fortra support team
* `2025-12-12` Disclosed vulnerability to Fortra support team and started
               our 90 day disclosure timeline
* `2026-01-20` Vulnerability was assigned CVE-2026-0972 by Fortra
* `2026-03-18` Disclosure timeline extended due to promised fix
               with release 7.10 at the end of March
* `2026-04-07` Disclosure timeline extended again due to delayed release
* `2026-04-20` Fortra published a fix with release 7.10
* `2026-04-23` Public disclosure

## References ##

1. GoAnywhere MFT Triggers:
   <https://www.goanywhere.com/products/goanywhere-mft/automation/triggers>
2. GoAnywhere MFT Email Connectivity:
   <https://www.goanywhere.com/products/goanywhere-mft/connectivity/email>
3. Vendor Security Advisory:
   <https://www.fortra.com/security/advisories/product-security/fi-2026-006>

## Credits ##

* Philipp Schweinzer ([SBA Research](https://www.sba-research.org/))

The discovery of this vulnerability was made possible through support from
[CYSSDE](https://cyssde.eu/) and the European Union.

![CYSSDE](images/cyssde.png)
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCAA5FiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmnqfbcbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwxAAoJEPu4hi9Y93WyzUwP/R71yiNhsJF2yZMNqxEx
wPSH2FKSSMC2AU+nV7ukYpbfK0APhq/8NLOXG6jXpmXH1F5pmWvoPdVQeGQinqef
dGH19oe7Wd+lhBEK5icO10L6NNEGyxy+gev21Kbykf6+wrMzJz+ICjpyMBdi/4zV
YaiIlprrtCtTylSTBUMV9fXqcj1HKWWtWTDObXI9JgvGh4IfYzNrV6AgfGv6GvIJ
gSKHSmVvCmd1WWQMA/JiuEBCpgCeJIXcApKK+vuxmduh4fGRnpcWc0LxCb82ny+O
/qOdYOt+nSvwEttVBARYS1d+uMYfLiiWYNZD3g84o8VAaelR9AT9NeCkOUPhEGAd
xbM9A+Y46HqdPt0mJQ81bPi938r6Xruvg3rAw4JoQSV8/VCtzWmicIiLsVZJNRdb
CVDgCX8tg8gpMlzcssmnNUrpsBolb3ovxiBVj1SXfi1c/ln6FWbvnnjNYBmkWPSg
QUK/m7ZgKFuNCqf6z8gBK7jOtK2Bv7OiMZ4s+gVEuNRYFFZOoQn9DtnWgAUcSbI5
3l0I56qPNgWqWUG3AwnP6P24x/6qjOn3jyLo5CKONd1NeGyIe1XL44Xh6I2B5hou
C4qkUGB67wNS/wQwDUuEdlo62TLGnd48N9dG8VGzw+AI9DBR0DXjFvvlLfz5cQ5q
xg2FGsgh2xDnCa3KBno+0HOr
=2+hu
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [SBA-ADV-20251120-01] CVE-2026-0972: GoAnywhere MFT Email HTML Injection SBA Research Security Advisory via Fulldisclosure (Apr 29)