[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Authentication Bypass in Accellion Kiteworks
- To: <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Authentication Bypass in Accellion Kiteworks
- From: <jerinjoy@xxxxxxxxxxxx>
- Date: Wed, 23 May 2018 21:16:19 +0200 (CEST)
[Suggested description]
> Authentication Bypass vulnerability in Accellionkiteworks before
> 2017.01.00 allows remote attackers to executecertain API calls on
> behalf of a web user using a gathered token via aPOST request to
> /oauth/token.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00
>
> ------------------------------------------
>
> [Affected Component]
> web user, token, API calls
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Can create user accounts
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit vulnerability, someone can gather thetoken by submitting a POST
> request to /oauth/token.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged thevulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Jerin Joy
Email: Jerinjoy@xxxxxxxxxxxx <mailto:Jerinjoy@xxxxxxxxxxxx>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/