An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/93457 | Third Party Advisory VDB Entry |
https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf | Release Notes Vendor Advisory |
http://www.securityfocus.com/bid/93457 | Third Party Advisory VDB Entry |
https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf | Release Notes Vendor Advisory |
Configurations
History
21 Nov 2024, 02:56
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.securityfocus.com/bid/93457 - Third Party Advisory, VDB Entry | |
References | () https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf - Release Notes, Vendor Advisory |
Information
Published : 2016-12-15 06:59
Updated : 2024-11-21 02:56
NVD link : CVE-2016-6842
Mitre link : CVE-2016-6842
CVE.ORG link : CVE-2016-6842
JSON object : View
Products Affected
open-xchange
- open-xchange_appsuite
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')