Vulnerability Note VU#745607

Accellion FTP server contains information exposure and cross-site scripting vulnerabilities

Original Release date: 08 Feb 2017 | Last revised: 08 Feb 2017


The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.


CWE-204: Response Discrepancy Information Exposure - CVE-2016-9499

Accellion FTP server only returns the username in the server response if the a username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-9500

Accellion FTP server uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

For more information, please see Qualys's security advisory.


A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.


Apply an update

Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AccellionAffected09 Dec 201620 Jan 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 2.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Ashish Kamble for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2016-9499 CVE-2016-9500
  • Date Public: 31 Jan 2017
  • Date First Published: 08 Feb 2017
  • Date Last Updated: 08 Feb 2017
  • Document Revision: 29


If you have feedback, comments, or additional information about this vulnerability, please send us email.