The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.
CWE-204: Response Discrepancy Information Exposure - CVE-2016-9499
Accellion FTP server only returns the username in the server response if the a username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.
A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.
Apply an update
Thanks to Ashish Kamble for reporting this vulnerability.
This document was written by Garret Wassermann.