Accellion Kiteworks appliance versions prior to kw2016.03.00 contain multiple vulnerabilities which can allow an attacker to conduct cross-site scripting (XSS) attacks or to view limited sets of files.

The vulnerabilities included incorrect default permissions, improper neutralization of input during web page generation, improper limitation of a path name to a restricted directory, and a configuration error, according to the Aug. 26 advisory.

If left unpatched, an authenticated KiteWorks user could escalate privileges of commands to root and view limited sets of files outside of the webroot directory by a crafted HTTP request, the advisory said.

An attacker could also conduct reflected cross-site scripting attacks using the code, error, and error_description parameters of oauth_callback.php. The appliance is pre-configured with insecure defaults that may allow an attacker to create an SSH tunnel for a local user and bypass typical authentication channels, the advisory said.

Users are advised to update their software as soon as possible.