Patch/Configuration Management, Vulnerability Management

Accellion Kiteworks contain XSS vulnerabilities

Accellion Kiteworks appliance versions prior to kw2016.03.00 contain multiple vulnerabilities which can allow an attacker to conduct cross-site scripting (XSS) attacks or to view limited sets of files.

The vulnerabilities included incorrect default permissions, improper neutralization of input during web page generation, improper limitation of a path name to a restricted directory, and a configuration error, according to the Aug. 26 advisory.

If left unpatched, an authenticated KiteWorks user could escalate privileges of commands to root and view limited sets of files outside of the webroot directory by a crafted HTTP request, the advisory said.

An attacker could also conduct reflected cross-site scripting attacks using the code, error, and error_description parameters of oauth_callback.php. The appliance is pre-configured with insecure defaults that may allow an attacker to create an SSH tunnel for a local user and bypass typical authentication channels, the advisory said.

Users are advised to update their software as soon as possible. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.