Filtered by vendor Accellion
Subscribe
Total
65 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23638 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 6.5 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24751 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 8.2 HIGH |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24752 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 8.2 HIGH |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24753 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 6.5 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24754 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 5.4 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24755 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 5.4 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24756 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 4.3 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24761 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 3.7 LOW |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2026-24782 | 1 Accellion | 1 Kiteworks | 2026-06-03 | N/A | 7.6 HIGH |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | |||||
| CVE-2017-8788 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks. | |||||
| CVE-2017-8791 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a home/seos/courier/login.html auth_params CRLF attack vector. | |||||
| CVE-2017-8790 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection. | |||||
| CVE-2017-8789 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists. | |||||
| CVE-2015-2856 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie. | |||||
| CVE-2017-8795 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/smtpg_add.html with the param parameter. | |||||
| CVE-2017-8304 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. courier/1000@/oauth/playground/callback.html allows XSS with a crafted URI. | |||||
| CVE-2017-8796 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter. | |||||
| CVE-2017-8760 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding. | |||||
| CVE-2017-8303 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter. | |||||
| CVE-2017-8792 | 1 Accellion | 1 File Transfer Appliance | 2026-05-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in home/seos/courier/user_add.html with the param parameter. | |||||