Secure Data Forms
Monthly
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuilder role to read and tamper with other users' form definitions and certain global configuration parameters. The flaw affects the Kiteworks private data network platform, carries a CVSS 7.6 (high) severity rating, and no public exploit identified at time of analysis. Exploitation requires valid credentials with a specific role, narrowing the threat to insiders or attackers who have already obtained role-bearing accounts.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other users' resource metadata through insufficient ownership authorization checks on resource identifiers. The vulnerability is classified CWE-639 and carries a CVSS score of 3.7 (Low), reflecting limited confidentiality impact (metadata only, no content) and high attack complexity. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated low-privileged user to modify form resources owned by other users by substituting controlled resource identifiers in API requests, bypassing ownership authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerability is remotely exploitable with no complexity barrier beyond holding a valid account. No public exploit code and no CISA KEV listing identified at time of analysis; real-world risk is concentrated in multi-tenant Kiteworks deployments where data isolation between users is a security expectation.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any authenticated user against resources owned by other users. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the flaw rooted in missing ownership verification on resource authorization checks within the Secure Data Forms module. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the low attack complexity and network accessibility make it a credible insider or credential-compromise risk in multi-tenant environments where data isolation is a compliance requirement.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modify form resources owned by other users without authorization. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the vulnerability rooted in missing server-side ownership validation on resource identifiers in the Secure Data Forms module. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; however, the low attack complexity and network accessibility make it a realistic lateral-privilege abuse path in multi-tenant Kiteworks environments.
Reflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after the victim is lured into clicking a crafted link. The CVSS 8.2 score is elevated by a changed scope (S:C) and high confidentiality impact, reflecting potential session theft or pivoting against the Kiteworks Private Data Network; no public exploit identified at time of analysis and not present in CISA KEV.
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted link. The flaw carries a CVSS 8.2 due to scope change (S:C) and high confidentiality impact, but exploitation requires user interaction. At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to upload files with dangerous types due to missing input validation. An authenticated attacker with manager privileges can exploit this to upload malicious files, potentially leading to code execution or system compromise. The vulnerability affects all versions prior to 9.2.1, and a patch is available; no public exploit code has been confirmed, but the moderate CVSS score of 5.5 reflects the high integrity impact combined with the requirement for elevated privileges.
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attackers to inject malicious scripts when modifying forms. Kiteworks Secure Data Forms versions prior to 9.2.1 are affected, enabling attackers with low-level privileges to execute arbitrary JavaScript in victims' browsers. There is no indication this vulnerability is actively exploited (not in CISA KEV), and no public proof-of-concept has been identified in available intelligence.
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuilder role to read and tamper with other users' form definitions and certain global configuration parameters. The flaw affects the Kiteworks private data network platform, carries a CVSS 7.6 (high) severity rating, and no public exploit identified at time of analysis. Exploitation requires valid credentials with a specific role, narrowing the threat to insiders or attackers who have already obtained role-bearing accounts.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other users' resource metadata through insufficient ownership authorization checks on resource identifiers. The vulnerability is classified CWE-639 and carries a CVSS score of 3.7 (Low), reflecting limited confidentiality impact (metadata only, no content) and high attack complexity. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated low-privileged user to modify form resources owned by other users by substituting controlled resource identifiers in API requests, bypassing ownership authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerability is remotely exploitable with no complexity barrier beyond holding a valid account. No public exploit code and no CISA KEV listing identified at time of analysis; real-world risk is concentrated in multi-tenant Kiteworks deployments where data isolation between users is a security expectation.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any authenticated user against resources owned by other users. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the flaw rooted in missing ownership verification on resource authorization checks within the Secure Data Forms module. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the low attack complexity and network accessibility make it a credible insider or credential-compromise risk in multi-tenant environments where data isolation is a compliance requirement.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modify form resources owned by other users without authorization. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the vulnerability rooted in missing server-side ownership validation on resource identifiers in the Secure Data Forms module. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; however, the low attack complexity and network accessibility make it a realistic lateral-privilege abuse path in multi-tenant Kiteworks environments.
Reflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after the victim is lured into clicking a crafted link. The CVSS 8.2 score is elevated by a changed scope (S:C) and high confidentiality impact, reflecting potential session theft or pivoting against the Kiteworks Private Data Network; no public exploit identified at time of analysis and not present in CISA KEV.
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted link. The flaw carries a CVSS 8.2 due to scope change (S:C) and high confidentiality impact, but exploitation requires user interaction. At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to upload files with dangerous types due to missing input validation. An authenticated attacker with manager privileges can exploit this to upload malicious files, potentially leading to code execution or system compromise. The vulnerability affects all versions prior to 9.2.1, and a patch is available; no public exploit code has been confirmed, but the moderate CVSS score of 5.5 reflects the high integrity impact combined with the requirement for elevated privileges.
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attackers to inject malicious scripts when modifying forms. Kiteworks Secure Data Forms versions prior to 9.2.1 are affected, enabling attackers with low-level privileges to execute arbitrary JavaScript in victims' browsers. There is no indication this vulnerability is actively exploited (not in CISA KEV), and no public proof-of-concept has been identified in available intelligence.