CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6850
https://notcve.org/view.php?id=CVE-2016-6850
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6843
https://notcve.org/view.php?id=CVE-2016-6843
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a user with elevated permissions. Malicious script code can be executed within a user's context. • http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4026
https://notcve.org/view.php?id=CVE-2016-4026
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6844
https://notcve.org/view.php?id=CVE-2016-6844
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6852
https://notcve.org/view.php?id=CVE-2016-6852
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. Ha sido descubierto un problema en Open-Xchange OX App Suite en versiones anteriores a 7.8.2-rev8. Usuarios pueden proporcionar rutas de archivo locales para el lector RSS; la respuesta y el código de error dan sugerencias sobre si el archivo proporcionado existe o no. • http://www.securityfocus.com/bid/93459 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •