Accellion Kiteworks versions prior to 2017.01.00 suffer from an authentication bypass vulnerability.
cab63696d1530db7193b2c37c49a1b23[Suggested description]
Authentication Bypass vulnerability in Accellionkiteworks before
2017.01.00 allows remote attackers to executecertain API calls on
behalf of a web user using a gathered token via aPOST request to
/oauth/token.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Accellion
------------------------------------------
[Affected Product Code Base]
Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00
------------------------------------------
[Affected Component]
web user, token, API calls
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
Can create user accounts
------------------------------------------
[Attack Vectors]
To exploit vulnerability, someone can gather thetoken by submitting a POST request to /oauth/token.
------------------------------------------
[Has vendor confirmed or acknowledged thevulnerability?] true
------------------------------------------
[Discoverer]
Jerin Joy
Email: [email protected] <mailto:[email protected]>