Security Advisory for SFTPPlus 4.23.0

We have released SFTPPlus version 4.23.0, which improves the cross-site scripting (XSS) protection for the Activity log page of the web management console.

Any HTML markup produced by a malicious person is now sanitized when logged.

In previous versions, if a malicious person attempted to log in using a username formatted as an HTML link, the link was displayed on the page. More so, JavaScript and CSS code could be inserted.

However, no JavaScript code would have been executed, as Content Security Policy (CSP) was already enabled in previous versions.

The same sanitization was done for the review page when viewing differences. For the review page, the risk was even lower, as only administrators could produce malicious changes.

The upgrade is recommended for all customers using SFTPPlus' web management console.

You can check the full release notes here.

Security advisories newsletter

The security advisories newsletter is available to our customers as a convenient method for receiving information about security updates and best practices.

You can view the security advisories archive here (articles are made public 3 months after their initial internal release).