Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Accellion FTP server contains information exposure and cross-site scripting vulnerabilities
Name VU#745607 First vendor Publication 2017-02-08
Vendor VU-CERT Last vendor Modification 2017-02-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#745607

Accellion FTP server contains information exposure and cross-site scripting vulnerabilities

Original Release date: 08 Feb 2017 | Last revised: 08 Feb 2017


The Accellion FTP server prior to version FTA_9_12_220 is vulnerable to cross-site scripting and information exposure.


CWE-204: Response Discrepancy Information Exposure - CVE-2016-9499

Accellion FTP server only returns the username in the server response if the a username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-9500

Accellion FTP server uses the Accusoft Prizm Content flash component, which contains multiple parameters (customTabCategoryName, customButton1Image) that are vulnerable to cross-site scripting.

For more information, please see Qualys's security advisory.


A remote attacker may be able to enumerate user accounts on the Accellion FTP server or may conduct reflected cross-site scripting attacks.


Apply an update

Both issues have been addressed in the most recent version FTA_9_12_220, released on 31 January 2017. Previously, CVE-2016-9500 was addressed in FTA_9_12_160 released on 29 November 2016.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AccellionAffected09 Dec 201620 Jan 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf
  • http://cwe.mitre.org/data/definitions/80.html
  • http://cwe.mitre.org/data/definitions/204.html


Thanks to Ashish Kamble for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-9499CVE-2016-9500
  • Date Public:31 Jan 2017
  • Date First Published:08 Feb 2017
  • Date Last Updated:08 Feb 2017
  • Document Revision:29


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/745607

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-200 Information Exposure
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Application 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2018-09-10 17:23:39
  • Multiple Updates
2018-07-14 00:21:04
  • Multiple Updates
2017-02-08 21:23:38
  • First insertion