CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2013-2582
https://notcve.org/view.php?id=CVE-2013-2582
CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP headers and conduct open redirect attacks by leveraging improper sanitization of whitespace characters. Vulnerabilidad de inyección CRLF en el servlet para redirigir en Open-Xchange AppSuite y Server anterior a v6.22.0 rev15, v6.22.1 anterior a rev17, v7.0.1 anterior a rev6, y v7.0.2 anterior a rev7 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de redirección abierta mediante el aprovechamiento de saneamiento inadecuado de espacios en blanco. • http://archives.neohapsis.com/archives/bugtraq/2013-04/0183.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1645 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1645
Directory traversal vulnerability in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the publication template path. Vulnerabilidad de salto de directorio en Open-Xchange Server anterior a v6.20.7 rev14, 6.22.0 anterior a rev13, y 6.22.1 anterior a rev14 permite a los usuarios remotos autenticados leer archivos arbitrarios a través de .. (punto punto) en la ruta de la plantilla de publicación. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1650 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1650
Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses weak permissions (group "other" readable) under opt/open-xchange/etc/, which allows local users to obtain sensitive information via standard filesystem operations. Open-Xchange Server anterior a 6.20.7 rev14, 6.22.0 anterior a rev13, y 6.22.1 anterior a rev14, usa permisos débiles (group "other" readable) bajo opt/open-xchange/etc/, lo que permite a usuarios locales obtener información sensible a través de operaciones estándar sobre el sistema de archivos. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1648 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1648
The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not properly validate the publication-source URL, which allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field, as demonstrated by (1) an ftp: URL, (2) a gopher: URL, or (3) an http://127.0.0.1/ URL, related to a "Server-side request forging (SSRF)" issue. La característica Subscriptions en Open-Xchange Server anterior a 6.20.7 rev14, 6.22.0 anterior a rev13, y 6.22.1 anterior a rev14, no valida adecuadamente la URL de publicación origen, lo que permite a usuarios autenticados remotamente provocar una salida de tráfico TCP arbitraria a través de un campo "Source" manipulado, como se demostró con (1) una ftp: URL, (2) una gopher: URL, o (3) una http://127.0.0.1/ URL, relacionado con un problema de "Server-side request forging (SSRF)". Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1647 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1647
Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1) the location parameter to ajax/redirect or (2) multiple infostore URIs. Múltiples vulnerabilidades de inyección CRLF en Open-Xchange Server anterior a 6.20.7 rev14, 6.22.0 anteior a rev13, y 6.22.1 anterior a rev14, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de respuesta HTTP dividida (HTTP response split attack) a través de un parámetro manipulado como se demostró por (1)el parámetro "location" a ajax/redirect o (2)múltiples URI's infostore. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •