6 results (0.004 seconds)

CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 2

Accellion Secure File Transfer Appliance before 8_0_105 allows remote authenticated administrators to bypass the restricted shell and execute arbitrary commands via shell metacharacters to the ping command, as demonstrated by modifying the cli program. Accellion Secure File Transfer Appliance anterior a v8_0_105 permite a los administradores remotos autenticados evitar el shell restringido y ejecutar comandos a su elección mediante metacaracteres en el comando ping, como lo demuestra la modificación del programa cli. • http://www.portcullis-security.com/338.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56248 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 3

Directory traversal vulnerability in web_client_user_guide.html in Accellion Secure File Transfer Appliance before 8_0_105 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. Vulnerabilidad de salto de directorio en web_client_user_guide.html en Accellion Secure File Transfer Appliance anterior a v8_0_105 permite a atacantes remotos leer ficheros a su elección a través de un .. (punto punto) en el parámetro lang. • https://www.exploit-db.com/exploits/33622 http://secunia.com/advisories/38538 http://www.portcullis-security.com/340.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56246 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 2

Cross-site scripting (XSS) vulnerability in Accellion Secure File Transfer Appliance before 7_0_296 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not properly handled when the administrator views audit logs. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Accellion Secure File Transfer Appliance anterior a v7_0_296 permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el parámetro de nombre de usuario, el cual no es adecuadamente manejado cuando el administrador ve los registros de auditoría. • http://secunia.com/advisories/38522 http://www.portcullis-security.com/339.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 3

Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command. Accellion Secure File Transfer Appliance anterior a v8_0_105 no restringe adecuadamente el acceso a los comandos sensibles y argumentos que se ejecuta con privilegios sudo adicionales, lo cual permite a los administradores locales obtener privilegios a través de (1)argumentos a su elección en la acción --file_move en /usr/local/bin/admin.pl, o un ataque de enlace duro en (2) chmod o (3) un cierto comando cp. • https://www.exploit-db.com/exploits/33623 http://www.portcullis-security.com/338.php http://www.securityfocus.com/bid/38176 https://exchange.xforce.ibmcloud.com/vulnerabilities/56248 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.8EPSS: 2%CPEs: 2EXPL: 3

courier/1000@/api_error_email.html (aka "error reporting page") in Accellion File Transfer Appliance FTA_7_0_178, and possibly other versions before FTA_7_0_189, allows remote attackers to send spam e-mail via modified description and client_email parameters. courier/1000@/api_error_email.html (tambien conocido como "error reporting page") en Accellion File Transfer Appliance FTA_7_0_178, y posiblemente otras versiones anteriores de FTA_7_0_189, permite a atacantes remotos enviar spam a través de los parámetros modificados "description" y "client_email parameter". • https://www.exploit-db.com/exploits/32382 http://osvdb.org/48242 http://secunia.com/advisories/31848 http://www.securityfocus.com/bid/31178 http://www.securitytracker.com/id?1020870 http://zebux.free.fr/pub/Advisory/Advisory_Accellion_SPAM_Engine_Vulnerability_200808.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/45159 •