CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-25046 – Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2019-25046
The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11.x before 11.0.4 allows XSS via an SVG document. El Cliente Web en Cerberus FTP Server Enterprise versiones anteriores a 10.0.19 y 11.x versiones anteriores a 11.0.4 permite un XSS por medio de un documento SVG • https://www.exploit-db.com/exploits/49981 https://www.cerberusftp.com/products/releasenotes https://www.cerberusftp.com/xss-vulnerability-when-previewing-svg-content • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5194
https://notcve.org/view.php?id=CVE-2020-5194
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists. El endpoint de la API zip en Cerberus FTP Server versión 8, permite a un atacante autenticado sin permiso zip usar la funcionalidad zip por medio de un endpoint API sin restricciones. La comprobación de permisos inapropiada ocurre cuando se llama al endpoint file/ajax_download_zip/zip_name. • https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9499 – The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting.
https://notcve.org/view.php?id=CVE-2016-9499
Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them. El servidor Accellion FTP en versiones anteriores a FTA_9_12_220 solo devuelve el nombre de usuario en la respuesta del servidor si el nombre de usuario no es válido. Un atacante podría usar esta información para determinar cuentas de usuario válidas y enumerarlas. • https://www.kb.cert.org/vuls/id/745607 https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf https://www.securityfocus.com/bid/96154 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-204: Observable Response Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9500 – The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to informaiton exposure
https://notcve.org/view.php?id=CVE-2016-9500
Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting. El servidor Accellion FTP en versiones anteriores a FTA_9_12_220 emplea el componente de flash Accusoft Prizm Content, que contiene múltiples parámetros (customTabCategoryName, customButton1Image) que son vulnerables a Cross-Site Scripting (XSS). • https://www.kb.cert.org/vuls/id/745607 https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf https://www.securityfocus.com/bid/96154 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •