7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.8%
The Accellion File Transfer Appliance (FTA) contains multiple vulnerabilites that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Accellion File Transfer appliance contains multiple vulnerabilities in versions below FTA_9_12_40.
CWE-79: Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ) - CVE-2016-2350
The Accellion File Transfer Appliance versions below contains three cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary HTML content (including script) within the following:
* move_partition_frame.html
* getimageajax.php
* wmInfo.html
CWE-89:** Improper Neutralization of Special Elements used in an SQL Command (βSQL Injectionβ)** - CVE-2016-2351
The Accellion File Transfer Appliance contains a SQL injection vulnerability due to improper escaping of the parameter π lient_idβ in `/home/seos/courier/security_key2.api, allowing an attacker to inject arbitrary code in π lient_id,β and recover private data.
CWE-77:** Improper Neutralization of Special Elements used in a Command (βCommand Injectionβ)-** CVE-2016-2352
The Accellion File Transfer Appliance is vulnerable to command injection due to unsafe handling of restricted users utilizing the YUM_CLIENT. This allows a restricted user to execute any command via root permission.
A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system and view sensitive data
Apply an update
Affected uses should update to version FTA_9_12_40 as soon as possible.
Javascript is disabled. Click here to view vendors.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.9 | E:POC/RL:OF/RC:ND |
Environmental | 4.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Orange Tsai for reporting these vulnerabilities
This document was written by Deana Shick.
CVE IDs: | CVE-2016-2350, CVE-2016-2351, CVE-2016-2352, CVE-2016-2353 |
---|---|
Date Public: | 2016-04-21 Date First Published: |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.8%