We have released SFTPPlus version 3.55.0, which fixes a critical security issue for the Local Manager's web console GUI introduced with SFTPPlus version 3.24.0.

The security defect was allowing non-authenticated requests for the Activity log, downloaded in CSV format.

Your SFTPPlus setup is not affected if you are not using the default-enabled "Store in database" event handler.

In order to audit for potential security breaches, parse the log files for events with ID 50026, then check them for any unauthorized access. Unfortunately, you can only identify unauthorized access by its timestamp.

No user data or passwords can be compromised in this way. The usernames and filenames found in the logs are exposed to unauthorized parties if accessed in this particular way.

The upgrade is recommended for all customers using the web management console.

You can check the full release notes here.