Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
AnalysisAI
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later. Affected products include: Accellion Fta.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. Ra
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpo
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. Rated critical
Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. Rated high severity
Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. Rated medium
Share
External POC / Exploit Code
Leaving vuln.today