Vulnerabilites related to accellion - ftp_server
Vulnerability from fkie_nvd
Published
2018-07-13 20:29
Modified
2024-11-21 03:01
Severity ?
Summary
Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://www.kb.cert.org/vuls/id/745607 | Third Party Advisory, US Government Resource | |
| cret@cert.org | https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf | Exploit, Third Party Advisory | |
| cret@cert.org | https://www.securityfocus.com/bid/96154 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/745607 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/96154 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| accellion | ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:accellion:ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B564FFD4-6A90-4FD2-A160-9B3422B262CC",
"versionEndExcluding": "fta_9_12_220",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting."
},
{
"lang": "es",
"value": "El servidor Accellion FTP en versiones anteriores a FTA_9_12_220 emplea el componente de flash Accusoft Prizm Content, que contiene m\u00faltiples par\u00e1metros (customTabCategoryName, customButton1Image) que son vulnerables a Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2016-9500",
"lastModified": "2024-11-21T03:01:20.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-13T20:29:02.050",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/96154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/96154"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-13 20:29
Modified
2024-11-21 03:01
Severity ?
Summary
Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://www.kb.cert.org/vuls/id/745607 | Third Party Advisory, US Government Resource | |
| cret@cert.org | https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf | Exploit, Third Party Advisory | |
| cret@cert.org | https://www.securityfocus.com/bid/96154 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/745607 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/96154 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| accellion | ftp_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:accellion:ftp_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B564FFD4-6A90-4FD2-A160-9B3422B262CC",
"versionEndExcluding": "fta_9_12_220",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them."
},
{
"lang": "es",
"value": "El servidor Accellion FTP en versiones anteriores a FTA_9_12_220 solo devuelve el nombre de usuario en la respuesta del servidor si el nombre de usuario no es v\u00e1lido. Un atacante podr\u00eda usar esta informaci\u00f3n para determinar cuentas de usuario v\u00e1lidas y enumerarlas."
}
],
"id": "CVE-2016-9499",
"lastModified": "2024-11-21T03:01:20.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-13T20:29:02.003",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/96154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/96154"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-204"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2016-9499 (GCVE-0-2016-9499)
Vulnerability from cvelistv5
Published
2018-07-13 20:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Accellion | FTP Server |
Version: FTA_9_12_220 < FTA_9_12_220 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"name": "96154",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/96154"
},
{
"name": "VU#745607",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "FTP Server",
"vendor": "Accellion",
"versions": [
{
"lessThan": " FTA_9_12_220",
"status": "affected",
"version": " FTA_9_12_220",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Ashish Kamble for reporting this vulnerability."
}
],
"datePublic": "2017-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-13T19:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"name": "96154",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "https://www.securityfocus.com/bid/96154"
},
{
"name": "VU#745607",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
}
],
"solutions": [
{
"lang": "en",
"value": "Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting.",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-9499",
"STATE": "PUBLIC",
"TITLE": "The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FTP Server",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": " FTA_9_12_220",
"version_value": " FTA_9_12_220"
}
]
}
}
]
},
"vendor_name": "Accellion"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Ashish Kamble for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-204"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf",
"refsource": "MISC",
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"name": "96154",
"refsource": "BID",
"url": "https://www.securityfocus.com/bid/96154"
},
{
"name": "VU#745607",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/745607"
}
]
},
"solution": [
{
"lang": "en",
"value": "Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-9499",
"datePublished": "2018-07-13T20:00:00",
"dateReserved": "2016-11-21T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9500 (GCVE-0-2016-9500)
Vulnerability from cvelistv5
Published
2018-07-13 20:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Accellion | FTP Server |
Version: FTA_9_12_220 < FTA_9_12_220 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"name": "96154",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/96154"
},
{
"name": "VU#745607",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "FTP Server",
"vendor": "Accellion",
"versions": [
{
"lessThan": " FTA_9_12_220",
"status": "affected",
"version": " FTA_9_12_220",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Ashish Kamble for reporting this vulnerability."
}
],
"datePublic": "2017-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-13T19:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"name": "96154",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "https://www.securityfocus.com/bid/96154"
},
{
"name": "VU#745607",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/745607"
}
],
"solutions": [
{
"lang": "en",
"value": "Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to informaiton exposure",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-9500",
"STATE": "PUBLIC",
"TITLE": "The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to informaiton exposure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FTP Server",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_name": " FTA_9_12_220",
"version_value": " FTA_9_12_220"
}
]
}
}
]
},
"vendor_name": "Accellion"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Ashish Kamble for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf",
"refsource": "MISC",
"url": "https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf"
},
{
"name": "96154",
"refsource": "BID",
"url": "https://www.securityfocus.com/bid/96154"
},
{
"name": "VU#745607",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/745607"
}
]
},
"solution": [
{
"lang": "en",
"value": "Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-9500",
"datePublished": "2018-07-13T20:00:00",
"dateReserved": "2016-11-21T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}