CVE-2016-4027

Open-Xchange App Suite 7.8.1 Information Disclosure

Severity Score

3.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account.

Ha sido descubierto un problema en Open-Xchange OX App Suite en versiones anteriores a 7.8.1-rev10. El frontend App Suite ofrece controlar si un usuario quiere almacenar cookies que exceden la duración de sesión. Esta funcionalidad es útil cuando se inicia sesión desde clientes con privilegios reducidos o entornos compartidos. Sin embargo la configuración fue reconocida incorrectamente y las cookies fueron almacenadas independientemente de estos ajustes cuando el inicio de sesión fue realizado usando un método de inicio de sesión no interactivo. En caso de que el ajuste fuera forzado por la configuración de middleware o el usuario pasó por la página de inicio de sesión interactiva, el flujo de trabajo era correcto. Las cookies con información de autenticación pueden estar disponibles para otros usuarios en entornos compartidos. En caso de que el usuario no se haya desconectado correctamente de la sesión, los terceros con acceso al mismo cliente pueden acceder a la cuenta de un usuario.

Open-Xchange App Suite versions 7.8.1 and below suffer from an information disclosure vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-04-15 CVE Reserved
2016-06-22 CVE Published
2023-03-08 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/137599/Open-Xchange-App-Suite-7.8.1-Information-Disclosure.html	Third Party Advisory
http://www.securityfocus.com/archive/1/538732/100/0/threaded	Mailing List
http://www.securitytracker.com/id/1036157	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Open-xchange Search vendor "Open-xchange"		Open-xchange Appsuite Search vendor "Open-xchange" for product "Open-xchange Appsuite"				<= 7.8.1 Search vendor "Open-xchange" for product "Open-xchange Appsuite" and version " <= 7.8.1"		rev9		Affected