search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Accellion FTP server contains information exposure and cross-site scripting vulnerabilities

Vulnerability Note VU#745607

Original Release Date: 2017-02-08 | Last Revised: 2017-02-08


The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.


CWE-204: Response Discrepancy Information Exposure - CVE-2016-9499

Accellion FTP server only returns the username in the server response if the a username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-9500

Accellion FTP server uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

For more information, please see Qualys's security advisory.


A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.


Apply an update

Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.

Vendor Information


Accellion Affected

Notified:  December 09, 2016 Updated: January 20, 2017



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 2.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Ashish Kamble for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-9499, CVE-2016-9500
Date Public: 2017-01-31
Date First Published: 2017-02-08
Date Last Updated: 2017-02-08 16:27 UTC
Document Revision: 30

Sponsored by CISA.