[Suggested description]
Authentication Bypass vulnerability in Accellionkiteworks before
2017.01.00 allows remote attackers to executecertain API calls on
beh [Suggested description]
Authentication Bypass vulnerability in Accellionkiteworks before
2017.01.00 allows remote attackers to executecertain API calls on
behalf of a web user using a gathered token via aPOST request to
/oauth/token.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Accellion
------------------------------------------
[Affected Product Code Base]
Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00
------------------------------------------
[Affected Component]
web user, token, API calls
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
Can create user accounts
------------------------------------------
[Attack Vectors]
To exploit vulnerability, someone can gather thetoken by submitting a POST request to /oauth/token.
------------------------------------------
[Has vendor confirmed or acknowledged thevulnerability?] true
------------------------------------------
[Discoverer]
Jerin Joy
Email: Jerinjoy@tutamail.com <mailto:Jerinjoy@tutamail.com>
Accellion Kiteworks Authentication Bypass
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 302