CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2391
https://notcve.org/view.php?id=CVE-2014-2391
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request. El servicio de recuperación de contraseña en Open-Xchange AppSuite anterior a 7.2.2-rev20, 7.4.1 anterior a 7.4.1-rev11, y 7.4.2 anterior a 7.4.2-rev13 toma una decision indebida sobre la sensibilidad de una cadena que representa una contraseña utilizada anteriormente pero actualmente invalida, lo que permite a atacantes remotos obtener información potencialmente útil de pautas de contraseñas mediante la lectura de (1) un registro de acceso al servidor web, (2) un registro Referer del servidor web o (3) un historial del navegador que contiene esta cadena debido a su presencia en una solicitud GET. • http://www.securityfocus.com/archive/1/531762 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2392
https://notcve.org/view.php?id=CVE-2014-2392
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. La funcionalidad de autoconfiguración de E-Mail en Open-Xchange AppSuite anterior a 7.2.2-rev20, 7.4.1 anterior a 7.4.1-rev11 y 7.4.2 anterior a 7.4.2-rev13 situa a contraseñas en una solicitud GET, lo que permite a atacantes remotos obtener información sensible mediante la lectura de (1) registros de acceso al servidor web, (2) registros Referer del servidor web o (3) el historial del navegador. • http://www.securityfocus.com/archive/1/531762 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2393
https://notcve.org/view.php?id=CVE-2014-2393
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment. Vulnerabilidad de XSS en Open-Xchange AppSuite 7.4.1 anterior a 7.4.1-rev11 y 7.4.2 anterior a 7.4.2-rev13 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un nombre de archivo Drive que no está manejado debidamente durante el uso del compositor para añadir un adjunto de email. • http://www.securityfocus.com/archive/1/531762 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-1679
https://notcve.org/view.php?id=CVE-2014-1679
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file. Vulnerabilidad de XSS en Open-Xchange (OX) AppSuite anterior a 7.2.2-rev31, 7.4.0 anterior a 7.4.0-rev27, y 7.4.1 anterior a 7.4.1-rev17 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de la cabecera en un fichero SGV adjunto. • http://secunia.com/advisories/56828 http://www.securityfocus.com/archive/1/531005 https://exchange.xforce.ibmcloud.com/vulnerabilities/91059 https://forum.open-xchange.com/showthread.php?8259-Open-Xchange-releases-Security-Patch-2014-01-29-for-v7-2-2-v7-4-0-and-v7-4-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2013-7141
https://notcve.org/view.php?id=CVE-2013-7141
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%" tags. Vulnerabilidad XSS en Open-Xchange (OX) AppSuite v7.4.1 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de vectores no especificados relacionados con etiquetas "<%" manipuladas. • http://osvdb.org/102192 http://seclists.org/bugtraq/2014/Jan/57 http://www.securityfocus.com/bid/65009 http://www.securitytracker.com/id/1029650 https://exchange.xforce.ibmcloud.com/vulnerabilities/90544 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •