Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
> [Suggested description]
> Authentication Bypass vulnerability in Accellion kiteworks before
> 2017.01.00 allows remote attackers to execute certain API calls on
> behalf of a web user using a gathered token via a POST request to
> /oauth/token.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Kiteworks - Affected Version: kw2016.04.12, Fixed Version: v2017.01.00
>
> ------------------------------------------
>
> [Affected Component]
> web user, token, API calls
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Can create user accounts
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit vulnerability, someone can gather the token by submitting a POST request to /oauth/token.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Jerin Joy