Accellion Kiteworks Multiple Vulnerabilities

by Shubham Shah, on Sep 8, 2016 2:32:42 PM

Release Date

Sept. 15, 2016

Patch Date

Aug. 26, 2016

Reported Date

May 21, 2016

Vendor

Accellion

Systems Affected

Versions of the appliance prior to version kw2016.03.0.

Summary

Three vulnerabilities were discovered in the Accellion Kiteworks appliance. The three vulnerabilities consisted of issues directly pertaining to incorrect default permissions, cross-site scripting, and path traversal.

Vendor Status

Accellion was immediately contacted via CERT, and we worked with Accellion through CERT in the coordinated disclosure process. The separate vulnerabilities were each given CVEs: CVE-2016-5662, CVE-2016-5663, and CVE-2016-5664. A further write-up can be found here.

Researchers

Vulnerabilities:Path TraversalCross-site ScriptingIncorrect Default Permissions

Comments

Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates