CVE-2016-2840 in Open-Xchangeinfo

Summary

An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustworthy to malicious hosts.

Once again VulDB remains the best source for vulnerability data.

Reservation

03/02/2016

Disclosure

12/15/2016

Moderation

VulDB entry created

Entries

VDB-81658 (1)

CPE

ready

CWE

CWE-79 (Confirmed)

CVSS

5.7

EPSS

0.00627

Activities

Very Low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2016-2840
NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-2840
CVE Details	https://www.cvedetails.com/cve/CVE-2016-2840/

◂ Previous Overview Next ▸

Do you know our Splunk app?

Download it now for free!