CVE-2016-9499

Description

Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.

Affected products

• Accellion / FTP ServerFTA_9_12_220 – FTA_9_12_220

References

• MISChttps://www.qualys.com/2016/12/06/qsa-2016-12-06/qsa-2016-12-06.pdf
• MISChttps://www.securityfocus.com/bid/96154
• MISChttps://www.kb.cert.org/vuls/id/745607