CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 2CVE-2009-4647
https://notcve.org/view.php?id=CVE-2009-4647
Cross-site scripting (XSS) vulnerability in Accellion Secure File Transfer Appliance before 7_0_296 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not properly handled when the administrator views audit logs. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Accellion Secure File Transfer Appliance anterior a v7_0_296 permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el parámetro de nombre de usuario, el cual no es adecuadamente manejado cuando el administrador ve los registros de auditoría. • http://secunia.com/advisories/38522 http://www.portcullis-security.com/339.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 2CVE-2009-4644
https://notcve.org/view.php?id=CVE-2009-4644
Accellion Secure File Transfer Appliance before 8_0_105 allows remote authenticated administrators to bypass the restricted shell and execute arbitrary commands via shell metacharacters to the ping command, as demonstrated by modifying the cli program. Accellion Secure File Transfer Appliance anterior a v8_0_105 permite a los administradores remotos autenticados evitar el shell restringido y ejecutar comandos a su elección mediante metacaracteres en el comando ping, como lo demuestra la modificación del programa cli. • http://www.portcullis-security.com/338.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56248 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 3CVE-2009-4645 – Accellion File Transfer - 'Appliance web_client_user_guide.html?lang' Traversal Arbitrary File Access
https://notcve.org/view.php?id=CVE-2009-4645
Directory traversal vulnerability in web_client_user_guide.html in Accellion Secure File Transfer Appliance before 8_0_105 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. Vulnerabilidad de salto de directorio en web_client_user_guide.html en Accellion Secure File Transfer Appliance anterior a v8_0_105 permite a atacantes remotos leer ficheros a su elección a través de un .. (punto punto) en el parámetro lang. • https://www.exploit-db.com/exploits/33622 http://secunia.com/advisories/38538 http://www.portcullis-security.com/340.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56246 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 3CVE-2009-4648 – Accellion Secure File Transfer Appliance - Multiple Command Restriction / Privilege Escalations
https://notcve.org/view.php?id=CVE-2009-4648
Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command. Accellion Secure File Transfer Appliance anterior a v8_0_105 no restringe adecuadamente el acceso a los comandos sensibles y argumentos que se ejecuta con privilegios sudo adicionales, lo cual permite a los administradores locales obtener privilegios a través de (1)argumentos a su elección en la acción --file_move en /usr/local/bin/admin.pl, o un ataque de enlace duro en (2) chmod o (3) un cierto comando cp. • https://www.exploit-db.com/exploits/33623 http://www.portcullis-security.com/338.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56248 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2009-4646
https://notcve.org/view.php?id=CVE-2009-4646
Static code injection vulnerability in the administrative web interface in Accellion Secure File Transfer Appliance allows remote authenticated administrators to inject arbitrary shell commands by appending them to a request to update the SNMP public community string. Vulnerabilidad de inyección de código estático en la interfaz web de administración en Accellion Secure File Transfer Appliance permite a los administradores remotos autenticados inyectar comandos shell a su elección añadiendolos a una petición de actualización de la cadena de comunidad SNMP pública. • http://secunia.com/advisories/38538 http://www.portcullis-security.com/339.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •