CVE-2017-8794 Information

Description

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwdhttps:// URL pattern.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Reference

https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

10.0