PT-2026-57845 · Rejetto · Rejetto Hfs
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-61504
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Rejetto HFS versions 3.0.0 through 3.2.0
Description
Stored Cross-Site Scripting occurs because the software fails to escape file names in its fallback basic web listing. This listing can be triggered by any browser using the
?get=basic parameter. An attacker with upload permissions, or an anonymous user on servers with an open upload folder, can upload a file with a name containing a malicious script that executes in the browser of any user viewing the listing.Recommendations
Update Rejetto HFS to a version later than 3.2.0.
Restrict upload permissions or close open upload folders to prevent unauthorized file storage.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rejetto Hfs