How severe is CVE-2024-37897?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.4 out of 10.

What type of vulnerability is CVE-2024-37897?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2024-37897 - MEDIUM Severity | CVSS 5.4

Vulnerability Description

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

Related Vulnerabilities

CVE-2017-3795

MEDIUM

CVSS:5.4(Medium)

A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to conduct arbitrary password changes against any non-administrative user. More Information: CSCuz03345. Kn...

CWE-2872017

CVE-2017-6617

MEDIUM

CVSS:5.4(Medium)

A vulnerability in the session identification management functionality of the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an unauthenticated, remote attacker to h...

CWE-2872017

CVE-2018-1999045

MEDIUM

CVSS:5.4(Medium)

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to ...

CWE-2872018

CVE-2019-15617

MEDIUM

CVSS:5.4(Medium)

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.

CWE-2872019

CVE-2020-12848

MEDIUM

CVSS:5.4(Medium)

In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous us...

CWE-2872020

CVE-2021-20578

MEDIUM

CVSS:5.4(Medium)

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199...

CWE-2872021