CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8794
https://notcve.org/view.php?id=CVE-2017-8794
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Debido a una expresión regular (destinada a coincidir con las URL https locales) carece de un carácter ^ inicial, courier/web/1000@/wmProgressval.html, que permite ataques SSRF con un archivo: ///etc/passwd#https:// patrón de URL. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8793
https://notcve.org/view.php?id=CVE-2017-8793
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Al enviar una solicitud POST a home/seos/courier/web/wmProgressstat.html.php con un dominio atacante en el parámetro acallow, el dispositivo responderá con un encabezado Access-Control-Allow-Origin que permite al atacante tener acceso al sitio eludiendo la Same Origin Policy. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-346: Origin Validation Error •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8796
https://notcve.org/view.php?id=CVE-2017-8796
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter. Se descubrió un problema en los dispositivos Accellion FTA anteriores a FTA_9_12_180. Debido a que mysql_real_escape_string es utilizado erróneamente, seos/courier/communication_p2p.php permite inyección SQL con el parámetro app_id. • https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2352
https://notcve.org/view.php?id=CVE-2016-2352
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role. El Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a usuarios remotos autenticados ejecutar comandos arbitrarios aprovechando el rol de usuario restringido YUM_CLIENT. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver http://www.kb.cert.org/vuls/id/505560 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-2353
https://notcve.org/view.php?id=CVE-2016-2353
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors. El Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a usuarios locales añadir una clave SSH a un grupo arbitrario, y consecuentemente obtener privilegios, a través de vectores no especificados. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver http://www.kb.cert.org/vuls/id/505560 • CWE-264: Permissions, Privileges, and Access Controls •