CVE-2017-8794
https://notcve.org/view.php?id=CVE-2017-8794
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Debido a una expresión regular (destinada a coincidir con las URL https locales) carece de un carácter ^ inicial, courier/web/1000@/wmProgressval.html, que permite ataques SSRF con un archivo: ///etc/passwd#https:// patrón de URL. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2017-8796
https://notcve.org/view.php?id=CVE-2017-8796
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Debido a que mysql_real_escape_string es utilizado erróneamente, seos/courier/communication_p2p.php permite inyección SQL con el parámetro app_id. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-8793
https://notcve.org/view.php?id=CVE-2017-8793
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Al enviar una solicitud POST a home/seos/courier/web/wmProgressstat.html.php con un dominio atacante en el parámetro acallow, el dispositivo responderá con un encabezado Access-Control-Allow-Origin que permite al atacante tener acceso al sitio eludiendo la Same Origin Policy. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-346: Origin Validation Error •
CVE-2017-8760
https://notcve.org/view.php?id=CVE-2017-8760
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding. Se detectó un problema en los dispositivos FTA anterior a versión FTA_9_12_180 de Accellion. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-8795
https://notcve.org/view.php?id=CVE-2017-8795
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. existe una vulnerabilidad de tipo XSS en home/seos/courier/smtpg_add.html con el parámetro param. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •