VYPR
Vendor

Accellion

Products
5
CVEs
47
Across products
51
Status
Private

Products

5

Recent CVEs

47
View all 47 CVEs →
  • CVE-2015-2857CriAug 22, 2017
    risk 0.73cvss 9.8epss 0.84

    Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.

  • CVE-2017-8303CriMay 5, 2017
    risk 0.66cvss 9.8epss 0.24

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter.

  • CVE-2017-8794CriMay 5, 2017
    risk 0.65cvss 10.0epss 0.02

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.

  • CVE-2017-8796CriMay 5, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.

  • CVE-2017-8790CriMay 5, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection.

  • CVE-2017-8789CriMay 5, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.

  • CVE-2016-2351CriMay 7, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.

  • CVE-2016-2352HigMay 7, 2016
    risk 0.58cvss 8.8epss 0.05

    The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role.

  • CVE-2017-8793HigMay 5, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the…

  • CVE-2015-2856HigOct 10, 2017
    risk 0.56cvss 7.5epss 0.57

    Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.

  • CVE-2026-24752HigJun 1, 2026
    risk 0.53cvss 8.2epss 0.00

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a…

  • CVE-2026-24751HigJun 1, 2026
    risk 0.53cvss 8.2epss 0.00

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a…

  • CVE-2016-5662HigAug 26, 2016
    risk 0.51cvss 7.8epss 0.00

    Accellion Kiteworks appliances before kw2016.03.00 use setuid-root permissions for /opt/bin/cli, which allows local users to gain privileges via unspecified vectors.

  • CVE-2016-2353HigMay 7, 2016
    risk 0.51cvss 7.8epss 0.00

    The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors.

  • CVE-2026-24782HigJun 1, 2026
    risk 0.49cvss 7.6epss 0.01

    Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and…

  • CVE-2026-24753MedJun 1, 2026
    risk 0.42cvss 6.5epss 0.00

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on…

  • CVE-2026-23638MedJun 1, 2026
    risk 0.42cvss 6.5epss 0.00

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users…

  • CVE-2016-9500MedJul 13, 2018
    risk 0.40cvss 6.1epss 0.05

    Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

  • CVE-2017-8795MedMay 5, 2017
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter.

  • CVE-2017-8792MedMay 5, 2017
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter.