CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4027 – Open-Xchange App Suite 7.8.1 Information Disclosure
https://notcve.org/view.php?id=CVE-2016-4027
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. • http://packetstormsecurity.com/files/137599/Open-Xchange-App-Suite-7.8.1-Information-Disclosure.html http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3173 – Open-Xchange OX AppSuite 7.8.0 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2016-3173
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. • http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/538481/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3174 – Open-Xchange OX AppSuite 7.8.0 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2016-3174
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks. • http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/538481/100/0/threaded • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2840
https://notcve.org/view.php?id=CVE-2016-2840
An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustworthy to malicious hosts. Ha sido descubierto un problema en Open-Xchange Server 6 / OX AppSuite en versiones anteriores a 7.8.0-rev26. • http://packetstormsecurity.com/files/136543/Open-Xchange-7.8.0-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/537959/100/0/threaded http://www.securitytracker.com/id/1035469 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5375
https://notcve.org/view.php?id=CVE-2015-5375
Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties. Vulnerabilidad de XSS en diálogos no especificados para imprimir contenido en el Front End en Open-Xchange Server 6 y OX App Suite en versiones anteriores a 6.22.8-rev8, 6.22.9 en versiones anteriores a 6.22.9-rev15m, 7.x en versiones anteriores a 7.6.1-rev25 y 7.6.2 en versiones anteriores a 7.6.2-rev20, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores desconocidos relacionados con las propiedades del objeto. • http://packetstormsecurity.com/files/133674/Open-Xchange-Server-6-OX-AppSuite-Cross-Site-Scripting.html http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_2614_7.6.2_2015-07-22.pdf http://www.securityfocus.com/archive/1/536523/100/0/threaded http://www.securitytracker.com/id/1034018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •