Accellion File Transfer Appliance vulnerabilities
20 known vulnerabilities affecting accellion/file_transfer_appliance.
Total CVEs
20
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL9HIGH4MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2015-2857P1CRITICALCVSS 9.8PoC≤ 9_11_2002017-08-22
CVE-2015-2857 [CRITICAL] CWE-77 CVE-2015-2857: Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary c
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
nvd
CVE-2015-2856P2HIGHCVSS 7.5PoC≤ fta_9_11_2002017-10-10
CVE-2015-2856 [HIGH] CWE-22 CVE-2015-2856: Directory traversal vulnerability in the template function in function.inc in Accellion File Transfe
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.
nvd
CVE-2017-8303P2CRITICALCVSS 9.8fixed in 9_12_1802017-05-05
CVE-2017-8303 [CRITICAL] CWE-116 CVE-2017-8303: An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remo
An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter.
nvd
CVE-2019-5623P3CRITICALCVSS 9.8v8_0_540vFTA_8_0_5402020-04-29
CVE-2019-5623 [CRITICAL] CWE-77 CVE-2019-5623: Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-77: Improper N
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection').
nvd
CVE-2016-2352P3HIGHCVSS 8.8≤ 9_11_2102016-05-07
CVE-2016-2352 [HIGH] CWE-264 CVE-2016-2352: The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role.
nvd
CVE-2016-2351P3CRITICALCVSS 9.8≤ 9_11_2102016-05-07
CVE-2016-2351 [CRITICAL] CWE-89 CVE-2016-2351: SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Ap
SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.
nvd
CVE-2017-8796P3CRITICALCVSS 9.8≤ 9_12_402017-05-05
CVE-2017-8796 [CRITICAL] CWE-89 CVE-2017-8796: An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_stri
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.
nvd
CVE-2019-5622P3CRITICALCVSS 9.8v8_0_540vFTA_8_0_5402020-04-29
CVE-2019-5622 [CRITICAL] CWE-798 CVE-2019-5622: Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-798: Use of Ha
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-798: Use of Hard-coded Credentials.
nvd
CVE-2017-8789P3CRITICALCVSS 9.8≤ 9_12_402017-05-05
CVE-2017-8789 [CRITICAL] CWE-89 CVE-2017-8789: An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='paylo
An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.
nvd
CVE-2017-8794P3CRITICALCVSS 10.0≤ 9_12_402017-05-05
CVE-2017-8794 [CRITICAL] CWE-918 CVE-2017-8794: An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.
nvd
CVE-2017-8790P3CRITICALCVSS 9.8≤ 9_12_402017-05-05
CVE-2017-8790 [CRITICAL] CWE-90 CVE-2017-8790: An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest
An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection.
nvd
CVE-2017-8793P3HIGHCVSS 8.8≤ 9_12_402017-05-05
CVE-2017-8793 [HIGH] CWE-346 CVE-2017-8793: An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to h
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy.
nvd
CVE-2016-2353P3HIGHCVSS 7.8≤ 9_11_2102016-05-07
CVE-2016-2353 [HIGH] CWE-264 CVE-2016-2353: The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors.
nvd
CVE-2017-8760P4MEDIUMCVSS 6.1≤ 9_12_402017-05-05
CVE-2017-8760 [MEDIUM] CWE-79 CVE-2017-8760: An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding.
nvd
CVE-2017-8791P4MEDIUMCVSS 6.1≤ 9_12_402017-05-05
CVE-2017-8791 [MEDIUM] CWE-93 CVE-2017-8791: An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a home/seos/courier/l
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a home/seos/courier/login.html auth_params CRLF attack vector.
nvd
CVE-2017-8795P4MEDIUMCVSS 6.1≤ 9_12_402017-05-05
CVE-2017-8795 [MEDIUM] CWE-79 CVE-2017-8795: An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/cour
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter.
nvd
CVE-2017-8792P4MEDIUMCVSS 6.1≤ 9_12_402017-05-05
CVE-2017-8792 [MEDIUM] CWE-79 CVE-2017-8792: An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/cour
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter.
nvd
CVE-2017-8788P4MEDIUMCVSS 6.1≤ 9_12_402017-05-05
CVE-2017-8788 [MEDIUM] CWE-93 CVE-2017-8788: An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks.
nvd
CVE-2016-2350P4MEDIUMCVSS 6.1≤ 9_11_2102016-05-07
CVE-2016-2350 [MEDIUM] CWE-79 CVE-2016-2350: Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) b
Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html.
nvd
CVE-2017-8304P4MEDIUMCVSS 6.1≤ 9_12_402017-05-05
CVE-2017-8304 [MEDIUM] CWE-79 CVE-2017-8304: An issue was discovered on Accellion FTA devices before FTA_9_12_180. courier/1000@/oauth/playground
An issue was discovered on Accellion FTA devices before FTA_9_12_180. courier/1000@/oauth/playground/callback.html allows XSS with a crafted URI.
nvd