CVE-2016-2840
MEDIUMOpen-Xchange AppSuite < 7.8.0 - Unauthenticated Reflected Cross-Site Scripting via Session Parameter
Title source: llmDescription
An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustworthy to malicious hosts.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537959/100/0/threaded
Third Party Advisory, VDB Entry x_refsource_confirm
http://packetstormsecurity.com/files/136543/Open-Xchange-7.8.0-Cross-Site-Scripting.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035469
Scores
CVSS v3
6.1
EPSS
0.0063
EPSS Percentile
70.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
open-xchange/open-xchange_appsuite
< 7.8.0
Published
Dec 15, 2016
Tracked Since
Feb 18, 2026