| id: GO-TEST-ID |
| modules: |
| - module: github.com/drakkan/sftpgo |
| versions: |
| - fixed: 2.3.5 |
| summary: SFTPGo WebClient vulnerable to Cross-site Scripting |
| description: |- |
| ### Impact Cross-site scripting (XSS) vulnerabilities have been reported to |
| affect SFTPGo WebClient. If exploited, this vulnerability allows remote |
| attackers to inject malicious code. |
| |
| ### Patches Fixed in v2.3.5. |
| cves: |
| - CVE-2022-39220 |
| ghsas: |
| - GHSA-cf7g-cm7q-rq7f |
| references: |
| - advisory: https://github.com/drakkan/sftpgo/security/advisories/GHSA-cf7g-cm7q-rq7f |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-39220 |
| - fix: https://github.com/drakkan/sftpgo/commit/cbef217cfa92478ee8e00ba1a5fb074f8a8aeee0 |
| notes: |
| - lint: 'description: possible markdown formatting (found ### )' |
| - lint: 'modules[0] "github.com/drakkan/sftpgo": version 2.3.5 does not exist' |
| - lint: 'references: too many advisories (found 2, want <=1)' |
| - lint: 'summary: must contain an affected module or package path (e.g. "github.com/drakkan/sftpgo")' |
