Accellion
Products
5- 27 CVEs
- 12 CVEs
- 7 CVEs
- 3 CVEs
- 2 CVEs
Recent CVEs
47| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-2857 | Cri | 0.73 | 9.8 | 0.84 | Aug 22, 2017 | Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter. | ||
| CVE-2017-8303 | Cri | 0.66 | 9.8 | 0.24 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter. | ||
| CVE-2017-8794 | Cri | 0.65 | 10.0 | 0.02 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern. | ||
| CVE-2017-8796 | Cri | 0.64 | 9.8 | 0.01 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter. | ||
| CVE-2017-8790 | Cri | 0.64 | 9.8 | 0.01 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection. | ||
| CVE-2017-8789 | Cri | 0.64 | 9.8 | 0.01 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists. | ||
| CVE-2016-2351 | Cri | 0.64 | 9.8 | 0.02 | May 7, 2016 | SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter. | ||
| CVE-2016-2352 | Hig | 0.58 | 8.8 | 0.05 | May 7, 2016 | The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role. | ||
| CVE-2017-8793 | Hig | 0.57 | 8.8 | 0.01 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the… | ||
| CVE-2015-2856 | Hig | 0.56 | 7.5 | 0.57 | Oct 10, 2017 | Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie. | ||
| CVE-2026-24752 | Hig | 0.53 | 8.2 | 0.00 | Jun 1, 2026 | Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a… | ||
| CVE-2026-24751 | Hig | 0.53 | 8.2 | 0.00 | Jun 1, 2026 | Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a… | ||
| CVE-2016-5662 | Hig | 0.51 | 7.8 | 0.00 | Aug 26, 2016 | Accellion Kiteworks appliances before kw2016.03.00 use setuid-root permissions for /opt/bin/cli, which allows local users to gain privileges via unspecified vectors. | ||
| CVE-2016-2353 | Hig | 0.51 | 7.8 | 0.00 | May 7, 2016 | The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors. | ||
| CVE-2026-24782 | Hig | 0.49 | 7.6 | 0.01 | Jun 1, 2026 | Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and… | ||
| CVE-2026-24753 | Med | 0.42 | 6.5 | 0.00 | Jun 1, 2026 | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on… | ||
| CVE-2026-23638 | Med | 0.42 | 6.5 | 0.00 | Jun 1, 2026 | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users… | ||
| CVE-2016-9500 | Med | 0.40 | 6.1 | 0.05 | Jul 13, 2018 | Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting. | ||
| CVE-2017-8795 | Med | 0.40 | 6.1 | 0.01 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter. | ||
| CVE-2017-8792 | Med | 0.40 | 6.1 | 0.01 | May 5, 2017 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter. |
- risk 0.73cvss 9.8epss 0.84
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
- risk 0.66cvss 9.8epss 0.24
An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter.
- risk 0.65cvss 10.0epss 0.02
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.
- risk 0.58cvss 8.8epss 0.05
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote authenticated users to execute arbitrary commands by leveraging the YUM_CLIENT restricted-user role.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered on Accellion FTA devices before FTA_9_12_180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the…
- risk 0.56cvss 7.5epss 0.57
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.
- risk 0.53cvss 8.2epss 0.00
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a…
- risk 0.53cvss 8.2epss 0.00
Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a…
- risk 0.51cvss 7.8epss 0.00
Accellion Kiteworks appliances before kw2016.03.00 use setuid-root permissions for /opt/bin/cli, which allows local users to gain privileges via unspecified vectors.
- risk 0.51cvss 7.8epss 0.00
The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows local users to add an SSH key to an arbitrary group, and consequently gain privileges, via unspecified vectors.
- risk 0.49cvss 7.6epss 0.01
Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and…
- risk 0.42cvss 6.5epss 0.00
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on…
- risk 0.42cvss 6.5epss 0.00
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users…
- risk 0.40cvss 6.1epss 0.05
Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter.