We have released SFTPPlus version 4.23.0, which improves the cross-site scripting (XSS) protection for the Activity log page of the web management console.

Any HTML markup produced by a malicious person is now sanitized when logged.

In previous versions, if a malicious person attempted to log in using a username formatted as an HTML link, the link was displayed on the page. More so, JavaScript and CSS code could be inserted.

However, no JavaScript code would have been executed, as Content Security Policy (CSP) was already enabled in previous versions.

The same sanitization was done for the review page when viewing differences. For the review page, the risk was even lower, as only administrators could produce malicious changes.

The upgrade is recommended for all customers using SFTPPlus' web management console.

You can check the full release notes here.