CVE-2016-9500

Public Exploit

The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to informaiton exposure

Description

Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

Remediation

Solution:

Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.

References

Link	Tags
https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf	third party advisory exploit
https://www.securityfocus.com/bid/96154	third party advisory vdb entry
https://www.kb.cert.org/vuls/id/745607	third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2016-9500?: CVE-2016-9500 has been scored as a medium severity vulnerability.
How to fix CVE-2016-9500?: To fix CVE-2016-9500: Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.
Is CVE-2016-9500 being actively exploited in the wild?: It is possible that CVE-2016-9500 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9500?: CVE-2016-9500 affects Accellion FTP Server.

Description

Remediation

Categories

CWE-80 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions