[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Authentication Bypass in Accellion Kiteworks
From: <jerinjoy () tutamail ! com>
Date: 2018-05-23 19:16:19
Message-ID: LDDQYiz--3-0 () tutamail ! com
[Download RAW message or body]
[Suggested description]
> Authentication Bypass vulnerability in Accellionkiteworks before
> 2017.01.00 allows remote attackers to executecertain API calls on
> behalf of a web user using a gathered token via aPOST request to
> /oauth/token.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> Accellion
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00
>
> ------------------------------------------
>
> [Affected Component]
> web user, token, API calls
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Can create user accounts
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit vulnerability, someone can gather thetoken by submitting a POST request to /oauth/token.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged thevulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Jerin Joy
Email: Jerinjoy@tutamail.com <mailto:Jerinjoy@tutamail.com>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic