Security Advisories
Monthly
Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.