Vulnerability found in Workspaces component of Biscom Secure File Transfer
Tod Beardsley, Principle Security Research Manager at Rapid7, has recently commented on the vulnerability:
“While using Biscom’s Secure File Transfer (SFT) product, Rapid7 researcher Orlando Barrera II discovered that a malicious actor could subvert the permissions model of SFT by using cross-site scripting (XSS) techniques. While the attacker would have to already have an account on the specific SFT server, he could ultimately use this technique to spy on file transfers that were otherwise believed to be secure. Today, we’re happy to report that Biscom worked quickly with Rapid7 to ensure that the issue was fixed and their customers were able to get the latest patched version quickly.”
-Tod Beardsley Principle Security Research Manager at Rapid7
As of version 5.1.1025, the issue has been resolved. A web application firewall may also be used to prevent attackers from entering the malicious XSS, and/or protect users by stripping offending XSS.