search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Accellion FTP server contains information exposure and cross-site scripting vulnerabilities

Vulnerability Note VU#745607

Original Release Date: 2017-02-08 | Last Revised: 2017-02-08

Overview

The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.

Description

CWE-204: Response Discrepancy Information Exposure - CVE-2016-9499

Accellion FTP server only returns the username in the server response if the a username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-9500

Accellion FTP server uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

For more information, please see Qualys's security advisory.

Impact

A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.

Solution

Apply an update

Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.

Vendor Information

745607
Expand all

Accellion

Notified:  December 09, 2016 Updated:  January 20, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 2.5 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ashish Kamble for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-9499, CVE-2016-9500
Date Public: 2017-01-31
Date First Published: 2017-02-08
Date Last Updated: 2017-02-08 16:27 UTC
Document Revision: 29

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.