CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2014-5235
https://notcve.org/view.php?id=CVE-2014-5235
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds. Vulnerabilidad de XSS en el Frontend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev33 y 7.6.x anterior a 7.6.0-rev16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con campos no especificados en canales RSS. • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html http://secunia.com/advisories/61080 http://software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_2112_7.6.0_2014-08-25.pdf http://www.securityfocus.com/archive/1/533443/100/0/threaded http://www.securityfocus.com/bid/69792 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2391
https://notcve.org/view.php?id=CVE-2014-2391
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request. El servicio de recuperación de contraseña en Open-Xchange AppSuite anterior a 7.2.2-rev20, 7.4.1 anterior a 7.4.1-rev11, y 7.4.2 anterior a 7.4.2-rev13 toma una decision indebida sobre la sensibilidad de una cadena que representa una contraseña utilizada anteriormente pero actualmente invalida, lo que permite a atacantes remotos obtener información potencialmente útil de pautas de contraseñas mediante la lectura de (1) un registro de acceso al servidor web, (2) un registro Referer del servidor web o (3) un historial del navegador que contiene esta cadena debido a su presencia en una solicitud GET. • http://www.securityfocus.com/archive/1/531762 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2392
https://notcve.org/view.php?id=CVE-2014-2392
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. La funcionalidad de autoconfiguración de E-Mail en Open-Xchange AppSuite anterior a 7.2.2-rev20, 7.4.1 anterior a 7.4.1-rev11 y 7.4.2 anterior a 7.4.2-rev13 situa a contraseñas en una solicitud GET, lo que permite a atacantes remotos obtener información sensible mediante la lectura de (1) registros de acceso al servidor web, (2) registros Referer del servidor web o (3) el historial del navegador. • http://www.securityfocus.com/archive/1/531762 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2393
https://notcve.org/view.php?id=CVE-2014-2393
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment. Vulnerabilidad de XSS en Open-Xchange AppSuite 7.4.1 anterior a 7.4.1-rev11 y 7.4.2 anterior a 7.4.2-rev13 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un nombre de archivo Drive que no está manejado debidamente durante el uso del compositor para añadir un adjunto de email. • http://www.securityfocus.com/archive/1/531762 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2077
https://notcve.org/view.php?id=CVE-2014-2077
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8 allows remote attackers to inject arbitrary web script or HTML via the subject of an email, involving 'the aria "tags" for screenreaders at the top bar'. Vulnerabilidad de XSS en el Frontend en Open-Xchange (OX) AppSuite 7.4.1 anterior a 7.4.1-rev10 y 7.4.2 anterior a 7.4.2-rev8 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del asunto de un email, involucrando las etiquetas aria para lectores de pantalla en la barra superior. • http://archives.neohapsis.com/archives/bugtraq/2014-03/0108.html http://secunia.com/advisories/57290 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •