[Suggested description] > Authentication Bypass vulnerability in Accellionkiteworks before > 2017.01.00 allows remote attackers to executecertain API calls on > behalf of a web user using a gathered token via aPOST request to > /oauth/token. > > ------------------------------------------ > > [Vulnerability Type] > Incorrect Access Control > > ------------------------------------------ > > [Vendor of Product] > Accellion > > ------------------------------------------ > > [Affected Product Code Base] > Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00 > > ------------------------------------------ > > [Affected Component] > web user, token, API calls > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Information Disclosure] > true > > ------------------------------------------ > > [CVE Impact Other] > Can create user accounts > > ------------------------------------------ > > [Attack Vectors] > To exploit vulnerability, someone can gather thetoken by submitting a POST > request to /oauth/token. > > ------------------------------------------ > > [Has vendor confirmed or acknowledged thevulnerability?] true > > ------------------------------------------ > > [Discoverer] > Jerin Joy Email: jerin...@tutamail.com <mailto:jerin...@tutamail.com> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
