Hfs
Monthly
Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.
Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.
Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. No public exploit is identified at time of analysis; vendor-released patch v3.2.1 is available.
Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.
Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.
Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.
Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.
Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. No public exploit is identified at time of analysis; vendor-released patch v3.2.1 is available.
Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.
Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.