Accellion: >> File Transfer Appliance >> 9_11_210 Security Vulnerabilities
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.
CVSS Score
10.0
EPSS Score
0.003
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-05-05
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors.
CVSS Score
7.8
EPSS Score
0.0
Published
2016-05-07
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role.
CVSS Score
8.8
EPSS Score
0.01
Published
2016-05-07
SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.
CVSS Score
9.8
EPSS Score
0.008
Published
2016-05-07
Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html.
CVSS Score
6.1
EPSS Score
0.003
Published
2016-05-07
Page 2