Vulnerability Note VU#745607
Accellion FTP server contains information exposure and cross-site scripting vulnerabilities
Original Release date: 08 Feb 2017 | Last revised: 08 Feb 2017
The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.
CWE-204: Response Discrepancy Information Exposure – CVE-2016-9499
Accellion FTP server only returns the username in the server response if the a username is invalid.
An attacker may use this information to determine valid user accounts and enumerate them.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) – CVE-2016-9500
Accellion FTP server uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.
For more information, please see Qualys’s security advisory.
A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.
Apply an update
Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedAccellionAffected09 Dec 201620 Jan 2017If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Ashish Kamble for reporting this vulnerability.
This document was written by Garret Wassermann.
31 Jan 2017
Date First Published:
08 Feb 2017
Date Last Updated:
08 Feb 2017
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.