CVE-2017-8304

Vulnerability

Accellion FTA devices running versions prior to FTA_9_12_180 contain a reflected cross-site scripting (XSS) vulnerability in the endpoint courier/1000@/oauth/playground/callback.html. An attacker can inject arbitrary JavaScript by crafting a malicious URI that is processed by the callback page without proper sanitization. No authentication is required to reach this endpoint [1].

Exploitation

An attacker with network access to the device can craft a URI containing malicious JavaScript and trick a victim into clicking a link (e.g., via phishing). The victim's browser will execute the injected script in the context of the vulnerable page, as the callback page reflects the URI parameters without encoding.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions on the FTA device if the victim is an authenticated administrator. The impact is limited to the browser session but can be leveraged for further attacks.

Mitigation

Accellion has addressed this vulnerability in version FTA_9_12_180. Users should upgrade to this version or later. No workarounds are documented in the available references [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.