Accellion Kiteworks Multiple Vulnerabilities

Release Date

Sept. 15, 2016

Patch Date

Aug. 26, 2016

Reported Date

May 21, 2016

Vendor

Accellion

Systems Affected

Versions of the appliance prior to version kw2016.03.0.

Summary

Three vulnerabilities were discovered in the Accellion Kiteworks appliance. The three vulnerabilities consisted of issues directly pertaining to incorrect default permissions, cross-site scripting, and path traversal.

Vendor Status

Accellion was immediately contacted via CERT, and we worked with Accellion through CERT in the coordinated disclosure process. The separate vulnerabilities were each given CVEs: CVE-2016-5662, CVE-2016-5663, and CVE-2016-5664. A further write-up can be found here.

Researchers