Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available: