CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Accellion : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-31586 89 Sql 2021-06-23 2021-06-25
6.5
None Remote Low ??? Partial Partial Partial
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search.
2 CVE-2021-31585 269 2021-06-23 2021-06-25
4.6
None Local Low Not required Partial Partial Partial
Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH passwords that allow local access.
3 CVE-2021-27731 79 XSS 2021-03-02 2021-03-05
4.3
None Remote Medium Not required None Partial None
Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed version is FTA_9_12_444 and later.
4 CVE-2021-27730 74 2021-03-02 2021-03-05
7.5
None Remote Low Not required Partial Partial Partial
Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.
5 CVE-2021-27104 78 Exec Code 2021-02-16 2021-02-17
10.0
None Remote Low Not required Complete Complete Complete
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
6 CVE-2021-27103 918 2021-02-16 2021-02-17
7.5
None Remote Low Not required Partial Partial Partial
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
7 CVE-2021-27102 78 Exec Code 2021-02-16 2021-02-19
7.2
None Local Low Not required Complete Complete Complete
Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.
8 CVE-2021-27101 89 Sql 2021-02-16 2021-02-17
7.5
None Remote Low Not required Partial Partial Partial
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
9 CVE-2019-5623 78 2020-04-29 2021-09-14
7.5
None Remote Low Not required Partial Partial Partial
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection').
10 CVE-2019-5622 798 2020-04-29 2020-05-07
7.5
None Remote Low Not required Partial Partial Partial
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-798: Use of Hard-coded Credentials.
11 CVE-2017-9421 287 Bypass 2018-05-24 2018-06-27
6.4
None Remote Low Not required Partial Partial None
Authentication Bypass vulnerability in Accellion kiteworks before 2017.01.00 allows remote attackers to execute certain API calls on behalf of a web user using a gathered token via a POST request to /oauth/token.
12 CVE-2017-8796 89 Sql 2017-05-05 2017-05-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.
13 CVE-2017-8795 79 XSS 2017-05-05 2017-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter.
14 CVE-2017-8794 918 2017-05-05 2017-05-17
6.4
None Remote Low Not required Partial Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.
15 CVE-2017-8793 346 Bypass 2017-05-05 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site access with a bypass of the Same Origin Policy.
16 CVE-2017-8792 79 XSS 2017-05-05 2017-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter.
17 CVE-2017-8791 93 2017-05-05 2017-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a home/seos/courier/login.html auth_params CRLF attack vector.
18 CVE-2017-8790 90 2017-05-05 2017-05-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection.
19 CVE-2017-8789 89 Sql 2017-05-05 2017-05-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.
20 CVE-2017-8788 93 2017-05-05 2017-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks.
21 CVE-2017-8760 79 XSS Bypass 2017-05-05 2017-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding.
22 CVE-2017-8304 79 XSS 2017-05-05 2017-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Accellion FTA devices before FTA_9_12_180. courier/1000@/oauth/playground/callback.html allows XSS with a crafted URI.
23 CVE-2017-8303 116 Exec Code 2017-05-05 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter.
24 CVE-2016-9500 79 XSS 2018-07-13 2019-10-09
4.3
None Remote Medium Not required None Partial None
Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.
25 CVE-2016-9499 200 +Info 2018-07-13 2019-10-09
5.0
None Remote Low Not required Partial None None
Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.
26 CVE-2016-5664 22 Dir. Trav. 2016-08-26 2016-11-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability on Accellion Kiteworks appliances before kw2016.03.00 allows remote attackers to read files via a crafted URI.
27 CVE-2016-5663 79 XSS 2016-08-26 2016-11-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in oauth_callback.php on Accellion Kiteworks appliances before kw2016.03.00 allow remote attackers to inject arbitrary web script or HTML via the (1) code, (2) error, or (3) error_description parameter.
28 CVE-2016-5662 +Priv 2016-08-26 2016-11-28
7.2
None Local Low Not required Complete Complete Complete
Accellion Kiteworks appliances before kw2016.03.00 use setuid-root permissions for /opt/bin/cli, which allows local users to gain privileges via unspecified vectors.
29 CVE-2016-2353 264 +Priv 2016-05-07 2016-05-10
7.2
None Local Low Not required Complete Complete Complete
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors.
30 CVE-2016-2352 264 Exec Code 2016-05-07 2016-05-09
6.5
None Remote Low ??? Partial Partial Partial
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role.
31 CVE-2016-2351 89 Exec Code Sql 2016-05-07 2016-05-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.
32 CVE-2016-2350 79 XSS 2016-05-07 2016-05-10
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html.
33 CVE-2015-2857 77 Exec Code 2017-08-22 2020-09-09
7.5
None Remote Low Not required Partial Partial Partial
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
34 CVE-2015-2856 22 Dir. Trav. 2017-10-10 2017-10-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.
35 CVE-2009-4648 264 +Priv 2010-02-19 2017-08-17
7.2
None Local Low Not required Complete Complete Complete
Accellion Secure File Transfer Appliance before 8_0_105 does not properly restrict access to sensitive commands and arguments that run with extra sudo privileges, which allows local administrators to gain privileges via (1) arbitrary arguments in the --file_move action in /usr/local/bin/admin.pl, or a hard link attack in (2) chmod or (3) a certain cp command.
36 CVE-2009-4647 79 XSS 2010-02-19 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Accellion Secure File Transfer Appliance before 7_0_296 allows remote attackers to inject arbitrary web script or HTML via the username parameter, which is not properly handled when the administrator views audit logs.
37 CVE-2009-4646 94 2010-02-19 2010-02-22
9.0
None Remote Low ??? Complete Complete Complete
Static code injection vulnerability in the administrative web interface in Accellion Secure File Transfer Appliance allows remote authenticated administrators to inject arbitrary shell commands by appending them to a request to update the SNMP public community string.
38 CVE-2009-4645 22 Dir. Trav. 2010-02-19 2017-08-17
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in web_client_user_guide.html in Accellion Secure File Transfer Appliance before 8_0_105 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.
39 CVE-2009-4644 78 Exec Code Bypass 2010-02-19 2017-08-17
9.0
None Remote Low ??? Complete Complete Complete
Accellion Secure File Transfer Appliance before 8_0_105 allows remote authenticated administrators to bypass the restricted shell and execute arbitrary commands via shell metacharacters to the ping command, as demonstrated by modifying the cli program.
40 CVE-2008-7012 2009-08-19 2017-08-17
7.8
None Remote Low Not required None Complete None
courier/1000@/api_error_email.html (aka "error reporting page") in Accellion File Transfer Appliance FTA_7_0_178, and possibly other versions before FTA_7_0_189, allows remote attackers to send spam e-mail via modified description and client_email parameters.
41 CVE-2008-3850 79 XSS 2008-08-27 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Accellion File Transfer FTA_7_0_135 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to courier/forgot_password.html.
Total number of vulnerabilities : 41   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.