A vulnerability, which was classified as problematic, has been found in Open-Xchange App Suite up to 7.6.3-rev36/7.8.2-rev39/7.8.3-rev47/7.8.4-rev27. Affected by this issue is some unknown functionality of the component XML Data Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality.

The bug was discovered 07/02/2018. The weakness was disclosed 07/03/2018 by Michael Reizelman, Secator and Antonio (Website). The advisory is shared for download at open-xchange.com. The public release has been coordinated in cooperation with the vendor. This vulnerability is handled as CVE-2018-9998 since 04/10/2018. The attack may be launched remotely. A simple authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k.

Applying the patch 7.6.3-rev37/7.8.2-rev40/7.8.3-rev48/7.8.4-rev28 is able to eliminate this problem.

The entry 120331 is pretty similar.

Productinfo

Vendor

• Open-Xchange

Name

• App Suite

Version

• 7.6.3-rev36
• 7.8.2-rev39
• 7.8.3-rev47
• 7.8.4-rev27

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion