CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8792
https://notcve.org/view.php?id=CVE-2017-8792
05 May 2017 — An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Existe un XSS home/seos/courier/user_add.html con el parámetro param. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8793
https://notcve.org/view.php?id=CVE-2017-8793
05 May 2017 — An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Al enviar una solicitud POST a home/seos/courier/web/wmProgressstat.html.php con ... • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8794
https://notcve.org/view.php?id=CVE-2017-8794
05 May 2017 — An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Debido a una expresión regular (destinada a coincidir con las URL https locales) carece de un carácter ^ inicial, courier/web/1000@/wmProgressval.html, que... • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8795
https://notcve.org/view.php?id=CVE-2017-8795
05 May 2017 — An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. existe una vulnerabilidad de tipo XSS en home/seos/courier/smtpg_add.html con el parámetro param. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8796
https://notcve.org/view.php?id=CVE-2017-8796
05 May 2017 — An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Debido a que mysql_real_escape_string es utilizado erróneamente, seos/courier/communication_p2p.php permite inyección SQL con el parámetro app_id. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-2350
https://notcve.org/view.php?id=CVE-2016-2350
07 May 2016 — Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html. Múltiples vulnerabilidades de XSS sobre el Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la entrada no espe... • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-2351
https://notcve.org/view.php?id=CVE-2016-2351
07 May 2016 — SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter. Vulnerabilidad de inyección SQL en home/seos/courier/security_key2.api sobre el Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro client_id. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2016-2352
https://notcve.org/view.php?id=CVE-2016-2352
07 May 2016 — The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role. El Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a usuarios remotos autenticados ejecutar comandos arbitrarios aprovechando el rol de usuario restringido YUM_CLIENT. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-2353
https://notcve.org/view.php?id=CVE-2016-2353
07 May 2016 — The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors. El Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a usuarios locales añadir una clave SSH a un grupo arbitrario, y consecuentemente obtener privilegios, a través de vectores no especificados. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 85%CPEs: 1EXPL: 4CVE-2015-2857 – Accellion FTA - getStatus verify_oauth_token Command Execution
https://notcve.org/view.php?id=CVE-2015-2857
13 Jul 2015 — Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter. Accellion File Transfer Appliance en versiones anteriores a la FTA_9_11_210 permite que atacantes remotos ejecuten código arbitrario mediante metacaracteres shell en el parámetro oauth_token. • https://packetstorm.news/files/id/132665 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •