The Accellion Kiteworks appliance prior to version kw2016.03.00 contains multiple vulnerabilities.
CWE-276: Incorrect Default Permissions - CVE-2016-5662
An unauthenticated user may be able to conduct cross-site scripting attacks or read limited files from the appliance. An authenticated user may be able to elevate privileges of commands to root.
Apply an update
Thanks to Shubham Shah for reporting this vulnerability.
This document was written by Garret Wassermann.