CVE-2016-5740
Open-Xchange App Suite 7.8.2 - Cross-Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Ha sido descubierto un problema en Open-Xchange OX App Suite en versiones anteriores a 7.8.2-rev5. Un código JavaScript puede ser usado como parte de adjuntos ical dentro de E-Mails de programación. Este contenido, por ejemplo la ubicación de una reunión, se presentará al usuario en la aplicación de correo electrónico, dependiendo del flujo de trabajo de la invitación. Este código se ejecuta dentro del contexto de la sesión actual del usuario. El código script malicioso puede ser ejecutado en un contexto de usuario. Esto puede conducir al secuestro de sesión o activar acciones no deseadas a través de la interfaz web (envío de correo, eliminación de datos, etc.).
Open-Xchange App Suite versions 7.8.2 and below suffer from multiple cross site scripting vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-06-22 CVE Reserved
- 2016-09-13 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html | Mitigation | |
http://www.securityfocus.com/archive/1/539394/100/0/threaded | Mailing List | |
http://www.securityfocus.com/bid/92922 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/40378 | 2024-08-06 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Open-xchange Search vendor "Open-xchange" | Open-xchange Appsuite Search vendor "Open-xchange" for product "Open-xchange Appsuite" | <= 7.8.2 Search vendor "Open-xchange" for product "Open-xchange Appsuite" and version " <= 7.8.2" | rev4 |
Affected
|