CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6843
https://notcve.org/view.php?id=CVE-2016-6843
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a user with elevated permissions. Malicious script code can be executed within a user's context. • http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4028
https://notcve.org/view.php?id=CVE-2016-4028
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036154 • CWE-255: Credentials Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6847
https://notcve.org/view.php?id=CVE-2016-6847
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4045
https://notcve.org/view.php?id=CVE-2016-4045
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-6854 – Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6854
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Ha sido descubierto un problema en Open-Xchange OX Guard en versiones anteriores a 2.4.2-rev5. • https://www.exploit-db.com/exploits/40377 http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/539395/100/0/threaded http://www.securityfocus.com/bid/92920 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •