CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2013-2583
https://notcve.org/view.php?id=CVE-2013-2583
Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev16, 6.22.0 before rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allow remote attackers to inject arbitrary web script or HTML via (1) a javascript: URL, (2) malformed nested SCRIPT elements, (3) a mail signature, or (4) JavaScript code within an image file. Múltiples vulnerabilidades de cross-site scripting (XSS) en Open-Xchange AppSuite y Server anterior a v6.20.7 rev16, v6.22.0 anterior a rev15, v6.22.1 anterior a rev17, v7.0.1 anterior a rev6, y v7.0.2 anterior a rev7, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) un javascript: URL, (2) elementos anidados SCRIPT que están malformados, (3) una firma de correo, o (4) código JavaScript dentro de un archivo de imagen. • http://archives.neohapsis.com/archives/bugtraq/2013-04/0183.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1651 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1651
OXUpdater in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof update servers and install arbitrary software via a crafted certificate. Open-Xchange Server anterior a 6.20.7 rev14, 6.22.0 anterior a rev13, y 6.22.1 anterior a rev14, no verifica los certificados X.509 desde los servidores SSL, lo que permite a atacantes "Man in the middle" suplantar los servidores e instalar software arbitrario a través de un certificado manipulado. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2013-1649 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1649
Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses the crypt and SHA-1 algorithms for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. Open-Xchange Server anteior a 6.20.7 rev14, 6.22.0 anteior a rev13, y 6.22.1 anteior a rev14, usa los algoritmos de cifrado crypt y SHA-1 para el cálculo del hash de contraseñas, lo que facilita a los atacantes dependientes del contexto la obtención de contraseñas en texto claro a través de un ataque de fuerza bruta. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-255: Credentials Management Errors •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1647 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1647
Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1) the location parameter to ajax/redirect or (2) multiple infostore URIs. Múltiples vulnerabilidades de inyección CRLF en Open-Xchange Server anterior a 6.20.7 rev14, 6.22.0 anteior a rev13, y 6.22.1 anterior a rev14, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de respuesta HTTP dividida (HTTP response split attack) a través de un parámetro manipulado como se demostró por (1)el parámetro "location" a ajax/redirect o (2)múltiples URI's infostore. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 2CVE-2013-1645 – Open-Xchange Server 6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1645
Directory traversal vulnerability in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the publication template path. Vulnerabilidad de salto de directorio en Open-Xchange Server anterior a v6.20.7 rev14, 6.22.0 anterior a rev13, y 6.22.1 anterior a rev14 permite a los usuarios remotos autenticados leer archivos arbitrarios a través de .. (punto punto) en la ruta de la plantilla de publicación. Open-Xchange version 6 suffers from cross site scripting, local file inclusion, HTTP header injection / response splitting, missing SSL enforcement, server-side request forging, insecure password hashing, and file permission vulnerabilities. • https://www.exploit-db.com/exploits/24791 http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •