CVE-2016-9499

Public Exploit

The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting.

Description

Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

Remediation

Solution:

Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.

References

Link	Tags
https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf	third party advisory exploit
https://www.securityfocus.com/bid/96154	vdb entry third party advisory
https://www.kb.cert.org/vuls/id/745607	third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2016-9499?: CVE-2016-9499 has been scored as a medium severity vulnerability.
How to fix CVE-2016-9499?: To fix CVE-2016-9499: Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.
Is CVE-2016-9499 being actively exploited in the wild?: It is possible that CVE-2016-9499 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9499?: CVE-2016-9499 affects Accellion FTP Server.

Description

Remediation

Categories

CWE-204 – Observable Response Discrepancy

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

References

Frequently Asked Questions