20 matches found
CVE-2015-2857
CVE-2015-2857 affects Accellion File Transfer Appliance (FTA) prior to FTA_9_11_210. The vulnerability allows remote code execution via shell metacharacters in the oauth_token parameter, caused by insufficient input sanitization. Public references and sightings indicate exploit tooling exist (e.g...
CVE-2017-8789
Accellion FTA devices prior to FTA_9_12_180 are affected by a SQL injection in the report_error.php?year parameter. The issue allows a remote attacker to potentially execute arbitrary SQL commands against the backend database. Root cause is an injectable SQL vector in report_error.php, exposing c...
CVE-2015-2856
CVE-2015-2856 affects Accellion File Transfer Appliance (FTA) prior to FTA_9_11_210. A directory traversal flaw in the template function of functions.inc allows remote attackers to read arbitrary files by manipulating the statecode cookie (statecode-based path traversal). Public exploit/module ex...
CVE-2017-8760
CVE-2017-8760: An XSS vulnerability affecting Accellion FTA devices prior to FTA_9_12_180. The flaw resides in the courier/1000@/index.html page via the auth_params parameter, with the device’s internal WAF filters unable to reliably block certain payloads; bypasses via URL-encoding and similar m...
CVE-2017-8791
CVE-2017-8791 affects Accellion FTA devices prior to FTA_9_12_180. The vulnerability is a CRLF injection in the login page parameter path: home/seos/courier/login.html auth_params, allowing a remote attacker to trigger a CRLF-based attack. Public sources in CNVD/NVD confirm a remote-exploitation ...
CVE-2016-2351
CVE-2016-2351 affects the Accellion File Transfer Appliance (FTA) prior to FTA_9_12_40. The vulnerability is an SQL injection in the file path home/seos/courier/security_key2.api that allows a remote attacker to execute arbitrary SQL commands via the client_id parameter, as documented by NVD and ...
CVE-2017-8790
Summary: CVE-2017-8790 concerns the Accellion FTA line prior to version FTA_9_12_180. The vulnerability is a LDAP Injection in the web interface, specifically the POST parameter filter in the path home/seos/courier/ldaptest.html. The root cause is improper handling of LDAP queries, allowing a rem...
CVE-2016-2350
CVE-2016-2350 refers to multiple XSS vulnerabilities in Accellion File Transfer Appliance (FTA) prior to FTA_9_12_40. The affected components are getimageajax.php, move_partition_frame.html, and wmInfo.html, which can be exploited by supplying input that results in arbitrary web script or HTML ex...
CVE-2017-8794
Vulnerability: Accellion FTA devices prior to FTA_9_12_180 are affected by CVE-2017-8794. Root cause: a regular expression intended to match local https URLs lacks the initial ^, allowing SSRF via courier/web/1000@/wmProgressval.html with crafted file:///etc/passwd#https:// URLs. Impact: server-s...
CVE-2016-2353
The connected OpenVAS entry identifies multiple vulnerabilities in Accellion File Transfer Appliance (FTA) prior to FTA_9_12_40, including local privilege escalation by allowing a local user to add an SSH key to an arbitrary group, enabling privilege gain. The CVE-2016-2353 entry likewise describ...
CVE-2017-8788
CVE-2017-8788 affects Accellion FTA devices prior to FTA_9_12_180. A CRLF injection vulnerability exists in settings_global_text_edit.php that enables newline/CRLF payloads (e.g., ?display=x%0Dnewline) and, per CNVD/NVD records, can allow remote command execution. Impact details in the connected ...
CVE-2017-8795
Summary of CVE-2017-8795 (Accellion FTA) : A cross-site scripting (XSS) flaw exists in Accellion FTA devices before FTA_9_12_180, specifically in the page home/seos/courier/smtpg_add.html where the parameter is unsafely reflected. This affects Accellion FTA devices prior to the cited version; the...
CVE-2017-8796
CVE-2017-8796 affects Accellion FTA devices prior to FTA_9_12_180. The issue is a misuse of mysql_real_escape_string in seos/courier/communication_p2p.php, enabling SQL injection via the app_id parameter. Impact is high: potential for unauthorized data access/manipulation; CVSS v3.0 base score 9....
CVE-2016-2352
The CVE-2016-2352 entry concerns the Accellion File Transfer Appliance (FTA) prior to FTA_9_12_40. The vulnerability arises from the YUM_CLIENT restricted-user role, enabling remote authenticated users to execute arbitrary commands with elevated privileges. Public documentation across sources con...
CVE-2017-8793
CVE-2017-8793 affects Accellion FTA devices prior to FTA_9_12_180. A POST to home/seos/courier/web/wmProgressstat.html.php with an attacker-controlled acallow parameter can trigger an Access-Control-Allow-Origin header, bypassing Same-Origin Policy and granting the attacker site access. Severity ...
CVE-2019-5622
CVE-2019-5622 affects Accellion File Transfer Appliance (FTA_8_0_540) and is caused by CWE-798: Use of Hard-coded Credentials. Multiple connected records corroborate a hard-coded/default credential issue in the FTA, implying high impact with potential unauthorized access. The CVSS data (v2/v3) ci...
CVE-2019-5623
CVE-2019-5623 affects Accellion File Transfer Appliance, specifically FTA_8_0_540, with a command injection flaw (CWE-77) arising from improper neutralization of input in the construction of executable commands. The vulnerability is network-exposed and could allow an attacker to execute commands ...
CVE-2017-8303
Summary : CVE-2017-8303 affects Accellion FTA devices prior to FTA_9_12_180. The connected CNVD/PRION/CVE records corroborate a vulnerability in seos/1000/find.api that enables Remote Code Execution via shell metacharacters in the method parameter. The core detail across sources is the affected s...
CVE-2017-8304
Accellion FTA devices prior to FTA_9_12_180 are affected by a cross-site scripting vulnerability in courier/1000@/oauth/playground/callback.html triggered by a crafted URI. CNVD/NVD entries corroborate a via-URL XSS in the Accellion FTA web UI, listed as CVE-2017-8304. The provided documents do n...
CVE-2017-8792
The CVE-2017-8792 entry concerns Accellion FTA devices prior to FTA_9_12_180 with a Cross‑Site Scripting (XSS) flaw in the web page path home/seos/courier/user_add.html, exploitable via the parameter field. The connected documents consistently describe the vulnerability as XSS; no exploit details...