Accellion Kiteworks versions prior to 2017.01.00 suffer from an authentication bypass vulnerability.
d347dee5b223a51f0bdd3cd6f19b767f912e1d12f4d86c8a16314862e8c9b919[Suggested description]
Authentication Bypass vulnerability in Accellionkiteworks before
2017.01.00 allows remote attackers to executecertain API calls on
behalf of a web user using a gathered token via aPOST request to
/oauth/token.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Accellion
------------------------------------------
[Affected Product Code Base]
Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00
------------------------------------------
[Affected Component]
web user, token, API calls
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
Can create user accounts
------------------------------------------
[Attack Vectors]
To exploit vulnerability, someone can gather thetoken by submitting a POST request to /oauth/token.
------------------------------------------
[Has vendor confirmed or acknowledged thevulnerability?] true
------------------------------------------
[Discoverer]
Jerin Joy
Email: Jerinjoy@tutamail.com <mailto:Jerinjoy@tutamail.com>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed