CVE-2016-2350
https://notcve.org/view.php?id=CVE-2016-2350
Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html. Múltiples vulnerabilidades de XSS sobre el Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la entrada no especificada a (1) getimageajax.php, (2) move_partition_frame.html o (3) wmInfo.html. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver http://www.kb.cert.org/vuls/id/505560 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-2353
https://notcve.org/view.php?id=CVE-2016-2353
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors. El Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a usuarios locales añadir una clave SSH a un grupo arbitrario, y consecuentemente obtener privilegios, a través de vectores no especificados. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver http://www.kb.cert.org/vuls/id/505560 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-2351
https://notcve.org/view.php?id=CVE-2016-2351
SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter. Vulnerabilidad de inyección SQL en home/seos/courier/security_key2.api sobre el Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro client_id. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver http://www.kb.cert.org/vuls/id/505560 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2016-2352
https://notcve.org/view.php?id=CVE-2016-2352
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role. El Accellion File Transfer Appliance (FTA) en versiones anteriores a FTA_9_12_40 permite a usuarios remotos autenticados ejecutar comandos arbitrarios aprovechando el rol de usuario restringido YUM_CLIENT. • http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver http://www.kb.cert.org/vuls/id/505560 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-2857 – Accellion FTA - getStatus verify_oauth_token Command Execution
https://notcve.org/view.php?id=CVE-2015-2857
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter. Accellion File Transfer Appliance en versiones anteriores a la FTA_9_11_210 permite que atacantes remotos ejecuten código arbitrario mediante metacaracteres shell en el parámetro oauth_token. • https://www.exploit-db.com/exploits/37597 http://packetstormsecurity.com/files/132665/Accellion-FTA-getStatus-verify_oauth_token-Command-Execution.html http://www.rapid7.com/db/modules/exploit/linux/http/accellion_fta_getstatus_oauth https://community.rapid7.com/community/metasploit/blog/2015/07/10/r7-2015-08-accellion-file-transfer-appliance-vulnerabilities-cve-2015-2856-cve-2015-2857 http://r-7.co/R7-2015-08 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •