CVE-2016-9499

MEDIUM

Accellion FTP Server < fta_9_12_220 - Information Disclosure

Title source: rule

Description

Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

References (3)

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/745607

[Exploit, Third Party Advisory] https://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf

[Third Party Advisory, VDB Entry] https://www.securityfocus.com/bid/96154

Scores

CVSS v3 5.3

EPSS 0.0051

EPSS Percentile 66.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-204 CWE-200

Status published

Affected Products (1)

accellion/ftp_server < fta_9_12_220

Timeline

Published Jul 13, 2018

Tracked Since Feb 18, 2026