[Suggested description]

Authentication Bypass vulnerability in Accellionkiteworks before

2017.01.00 allows remote attackers to executecertain API calls on 

behalf of a web user using a gathered token via aPOST request to 

/oauth/token.



------------------------------------------



[Vulnerability Type]

Incorrect Access Control



------------------------------------------



[Vendor of Product]

Accellion



------------------------------------------



[Affected Product Code Base]

Kiteworks - Affected Version: kw2016.04.12, FixedVersion: v2017.01.00



------------------------------------------



[Affected Component]

web user, token, API calls



------------------------------------------



[Attack Type]

Remote



------------------------------------------



[Impact Information Disclosure]

true



------------------------------------------



[CVE Impact Other]

Can create user accounts



------------------------------------------



[Attack Vectors]

To exploit vulnerability, someone can gather thetoken by submitting a POST request to /oauth/token.



------------------------------------------



[Has vendor confirmed or acknowledged thevulnerability?] true



------------------------------------------



[Discoverer]
Jerin Joy
Email: Jerinjoy@tutamail.com <mailto:Jerinjoy@tutamail.com>