22 matches found
CVE-2021-31585
The CVE-2021-31585 issue affects Accellion Kiteworks (before version 7.3.1). The root cause is an elevation-of-privilege flaw allowing a user with Admin privileges to generate SSH passwords that enable local access, effectively escalating privileges. Impact is described as privilege, authenticati...
CVE-2021-31586
Summary: Accellion Kiteworks affected versions prior to 7.4.0 have a SQL Injection vulnerability exposed through LDAPGroup Search. An authenticated user can trigger the flaw, potentially exposing sensitive database information. Affected product: Accellion Kiteworks (before 7.4.0). Vulnerability d...
CVE-2017-9421
The CVE-2017-9421 issue affects Accellion kiteworks prior to 2017.01.00. A remote attacker can bypass authentication by using a token gathered via a POST to /oauth/token to perform certain API calls on behalf of a web user. The root cause is an authentication bypass linked to token handling in th...
CVE-2026-24761
The CVE-2026-24761 entry concerns Kiteworks Secure Data Forms prior to version 9.3.0, where an Insecure Direct Object Reference (IDOR) allows an authenticated user to access metadata of resources belonging to other users due to insufficient ownership checks. Affected product is Kiteworks Secure D...
CVE-2026-24752
CVE-2026-24752 affects Kiteworks Secure Data Forms prior to version 9.3.0. A reflected XSS could cause a user to execute arbitrary JavaScript, with patch provided in 9.3.0+. CVSSv3.1 base score 8.2 (HIGH): attack vector NETWORK, privileges required NONE, user interaction REQUIRED, scope CHANGED, ...
CVE-2026-24753
Kiteworks (PDN) prior to 9.3.0 is affected by an Insecure Direct Object Reference (IDOR) in Secure Data Forms. An authenticated user can modify resources belonging to other users due to insufficient authorization checks on resource ownership. A patch is available in version 9.3.0 and later; upgra...
CVE-2026-24755
Kiteworks Secure Data Forms (prior to v9.3.0) contains an Insecure Direct Object Reference (IDOR) vulnerability that allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. A patch is available in Kit...
CVE-2026-23635
Kiteworks Secure Data Forms (PDN) has a vulnerability affecting versions prior to 9.2.1 due to a misconfiguration of security attributes that could lead to Unprotected Transport of Credentials. The issue is documented across CVE-2026-23635 with a CVSSv3.1 base score of 6.5 (Network, High attack v...
CVE-2026-23638
Kiteworks CVE-2026-23638 is an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms, affecting versions prior to 9.3.0. An authenticated attacker can tamper with internal approval flow configurations of other users’ forms due to insufficient authorization checks on...
CVE-2026-24754
CVE-2026-24754 affects Kiteworks, where a stored XSS vulnerability exists in Secure Data Forms prior to version 9.3.0. An authenticated attacker could execute arbitrary JavaScript in other users’ sessions. The issue is mitigated by upgrading to Kiteworks version 9.3.0 or later, which provides a p...
CVE-2026-24756
Kiteworks CVE-2026-24756 affects the Kiteworks Secure Data Forms component. Before version 9.3.0, an Insecure Direct Object Reference (IDOR) allows an authenticated user to modify resources owned by other users due to insufficient authorization checks on ownership. A patch is available in version...
CVE-2026-24782
Kiteworks users are affected by multiple SQL injection flaws in Secure Data Forms prior to version 9.3.0. An authenticated attacker with the FormBuilder role can retrieve information on or modify other users’ form definitions and some global configuration parameters. The fix is to upgrade to Kite...
CVE-2026-24751
Kiteworks CVE-2026-24751 is a reflected XSS in Kiteworks Secure Data Forms present before version 9.3.0. An attacker could induce a user to execute arbitrary JavaScript via a crafted input, over a network, with user interaction required. The vulnerability’s impact includes high confidentiality ri...
CVE-2026-23636
affected software: Kiteworks Secure Data Forms. vulnerability: Unrestricted Upload of File with Dangerous Type due to missing validation in versions prior to 9.2.1. impact: potential for a manager of a form to upload harmful files. root cause: missing input validation during file upload. remediat...
CVE-2026-28269
Kiteworks Core is affected by an OS command injection vulnerability in its command execution feature prior to version 9.2.0. Authenticated users could redirect command output to arbitrary file locations, potentially overwriting critical system files and gaining elevated access. The issue is addre...
CVE-2026-28270
Summary: CVE-2026-28270 affects Kiteworks Core. Before version 9.2.0, a configuration flaw allowed uploading of arbitrary files without proper validation, enabling malicious administrators to upload unauthorized file types. The issue is addressed in version 9.2.0, which contains a patch. Affected...
CVE-2026-28272
Kiteworks Email Protection Gateway (pre-9.2.0) has a stored XSS vulnerability exploitable by authenticated administrators via a configuration interface. The stored script can execute when users interact with the affected UI, potentially impacting confidentiality and integrity (C=HIGH, I=HIGH) wit...
CVE-2026-29092
Kiteworks Email Protection Gateway has an insufficient session expiration vulnerability (CVE-2026-29092) affecting versions before 9.2.1. Prior to 9.2.1, blocked users could maintain active sessions after their account is disabled, potentially allowing unauthorized access until the session expire...
CVE-2026-23514
Kiteworks Core vulnerability CVE-2026-23514 affects versions 9.2.0 and 9.2.1, where an access control flaw lets authenticated users access content they should not. This results in high impact on confidentiality, integrity, and availability (CVSS v3.1: 8.8; NETWORK, LOW exploitability, no user int...
CVE-2026-28271
Kiteworks Core (PDN) prior to version 9.2.0 contains a SSRF bypass vulnerability in configuration functionality exploitable via DNS rebinding, allowing access to restricted internal services. Patch available in 9.2.0. Exploitation details are not provided in the documents; no explicit in-the-wild...
CVE-2025-53939
Kiteworks Core (PDN) prior to version 9.1.0 contains an input validation flaw when managing roles on a shared folder, which could allow elevation of another user’s permissions on that share. The issue is fixed in version 9.1.0. Exploitation details are not provided in the available documents.
CVE-2026-24750
Kiteworks Secure Data Forms (before v9.2.1) is affected by an Stored XSS in the web-page generation step when modifying forms, caused by improper input neutralization. An authenticated attacker can exploit this with access to form modification flows. A patch is available in version 9.2.1 and late...