VDB
KO
LOW 3.7

GHSA-3vcg-pv95-pq54

SFTPGo has stored XSS via inline parameter on public shares and user file download

Details

## Summary

The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin (stored XSS).

## Impact

Low. Exploitation requires the attacker to place the file and a victim to open the crafted link — a URL the WebClient never generates, so it requires social engineering — and the practical conditions are narrow:

- Session cookies are HttpOnly, so the cookie cannot be read by the injected script. - Authenticated shares set their own session cookie, which overwrites the victim's WebClient cookie, no account pivot. The realistic case is a public share, or a folder shared between distinct users combined with targeted social engineering.

It is a genuine trust-boundary violation (SFTPGo emits attacker-controlled content as active HTML in its own origin), hence an advisory, but the constrained preconditions and the HttpOnly mitigation keep it Low.

## Patches

Upgrade to v2.7.3. These endpoints now always respond with Content-Disposition: attachment; the inline parameter has been removed. See the fix commit for the full technical rationale.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/drakkan/sftpgo/v2
Introduced in: 2.2.0 Fixed in: 2.7.3
Fix go get github.com/drakkan/sftpgo/v2@v2.7.3

References