CVE-2014-2391
Open-Xchange AppSuite < 7.2.2 - Exposure of Sensitive Information via Password Recovery Service
Title source: llmDescription
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.
References (1)
Core 1
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/531762
Scores
EPSS
0.0023
EPSS Percentile
45.7%
Details
CWE
CWE-200
Status
published
Products (5)
open-xchange/open-xchange_appsuite
7.2.0
open-xchange/open-xchange_appsuite
7.2.1
open-xchange/open-xchange_appsuite
7.4.1
open-xchange/open-xchange_appsuite
7.4.2
open-xchange/open-xchange_appsuite
< 7.2.2
Published
Apr 24, 2014
Tracked Since
Feb 18, 2026