CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-6851 – Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6851
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already. • https://www.exploit-db.com/exploits/40377 http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/539395/100/0/threaded http://www.securityfocus.com/bid/92920 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8542
https://notcve.org/view.php?id=CVE-2015-8542
An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. • http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html http://www.securityfocus.com/archive/1/537678/100/0/threaded http://www.securitytracker.com/id/1035174 • CWE-320: Key Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7385
https://notcve.org/view.php?id=CVE-2015-7385
Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in "Guard PGP Settings." Vulnerabilidad de XSS en Open-Xchange OX Guard en versiones anteriores a 2.0.0-rev11 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el campo uid en una clave pública PGP, lo que no es manejado adecuadamente en 'Guard PGP Settings.' • http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf http://www.securityfocus.com/archive/1/536923/100/0/threaded http://www.securitytracker.com/id/1034166 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •