Shodan
Vulnerabilities
Vulnerable Software
Accellion:  Security Vulnerabilities
CVE-2017-8789
An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-05-05
CVE-2017-8790
An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection.
CVSS Score
9.8
EPSS Score
0.005
Published
2017-05-05
CVE-2017-8791
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a home/seos/courier/login.html auth_params CRLF attack vector.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-05-05
CVE-2017-8792
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-05-05
CVE-2017-8793
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-05-05
CVE-2017-8794
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.
CVSS Score
10.0
EPSS Score
0.003
Published
2017-05-05
CVE-2017-8795
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-05-05
CVE-2017-8796
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-05-05
CVE-2016-5664
Directory traversal vulnerability on Accellion Kiteworks appliances before kw2016.03.00 allows remote attackers to read files via a crafted URI.
CVSS Score
4.3
EPSS Score
0.005
Published
2016-08-26
CVE-2016-5663
Multiple cross-site scripting (XSS) vulnerabilities in oauth_callback.php on Accellion Kiteworks appliances before kw2016.03.00 allow remote attackers to inject arbitrary web script or HTML via the (1) code, (2) error, or (3) error_description parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2016-08-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved