Vulnerability Note VU#745607
Accellion FTP server contains information exposure and cross-site scripting vulnerabilities
The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.
CWE-204: Response Discrepancy Information Exposure - CVE-2016-9499
Accellion FTP server only returns the username in the server response if the a username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.
A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Accellion||Affected||09 Dec 2016||20 Jan 2017|
CVSS Metrics (Learn More)
Thanks to Ashish Kamble for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-9499 CVE-2016-9500
- Date Public: 31 Jan 2017
- Date First Published: 08 Feb 2017
- Date Last Updated: 08 Feb 2017
- Document Revision: 29
If you have feedback, comments, or additional information about this vulnerability, please send us email.