PT-2017-18529 · Accellion · Accellion Fta
Published
2017-05-05
·
Updated
2017-05-17
·
CVE-2017-8789
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Accellion FTA versions prior to FTA 9 12 180
Description
A SQL injection issue exists due to a report error.php API endpoint that is vulnerable to injection attacks. The
year parameter is specifically mentioned as a vector for this injection. This could potentially allow an attacker to execute unauthorized SQL commands.Recommendations
For versions prior to FTA 9 12 180, update to FTA 9 12 180 or later to resolve the issue. As a temporary workaround, consider restricting access to the report error.php API endpoint to minimize the risk of exploitation. Avoid using the
year parameter in the report error.php endpoint until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Accellion Fta