An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit Third Party Advisory VDB Entry |
http://www.securityfocus.com/archive/1/539395/100/0/threaded | |
http://www.securityfocus.com/bid/92920 | Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/40377/ | Exploit Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit Third Party Advisory VDB Entry |
http://www.securityfocus.com/archive/1/539395/100/0/threaded | |
http://www.securityfocus.com/bid/92920 | Third Party Advisory VDB Entry |
https://www.exploit-db.com/exploits/40377/ | Exploit Third Party Advisory VDB Entry |
Configurations
History
21 Nov 2024, 02:56
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry | |
References | () http://www.securityfocus.com/archive/1/539395/100/0/threaded - | |
References | () http://www.securityfocus.com/bid/92920 - Third Party Advisory, VDB Entry | |
References | () https://www.exploit-db.com/exploits/40377/ - Exploit, Third Party Advisory, VDB Entry |
Information
Published : 2016-12-15 06:59
Updated : 2024-11-21 02:56
NVD link : CVE-2016-6851
Mitre link : CVE-2016-6851
CVE.ORG link : CVE-2016-6851
JSON object : View
Products Affected
open-xchange
- ox_guard
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')