CVE-2017-8760

Name of the Vulnerable Software and Affected Versions Accellion FTA versions prior to FTA 9 12 180

Description An issue was discovered that allows for cross-site scripting (XSS) in the courier/1000@/index.html endpoint with the auth params parameter. The device attempts to mitigate specific XSS vulnerabilities using internal Web Application Firewall (WAF) filters. However, these filters can be bypassed by modifying the payloads, such as using URL encoding.

Recommendations For Accellion FTA versions prior to FTA 9 12 180, update to version FTA 9 12 180 or later to resolve the issue. As a temporary workaround, consider restricting access to the courier/1000@/index.html endpoint and avoiding the use of the auth params parameter until the issue is resolved.