CVE-2016-5740

MEDIUM

Open-Xchange OX App Suite <7.8.2-rev5 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-5740. PoCs published by Jakub A>>oczek.

AI-analyzed exploit summary The document describes multiple XSS vulnerabilities in OX App Suite, including injection via resource descriptions, malicious hyperlinks with 'data' schema, and stored script code in temporary image storage. Each vulnerability is detailed with steps to reproduce and solutions.

Description

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Exploits (1)

exploitdb WRITEUP
by Jakub A>>oczek · textwebappslinux
https://www.exploit-db.com/exploits/40378

The document describes multiple XSS vulnerabilities in OX App Suite, including injection via resource descriptions, malicious hyperlinks with 'data' schema, and stored script code in temporary image storage. Each vulnerability is detailed with steps to reproduce and solutions.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: OX App Suite 7.8.2 and earlier
Auth required
Prerequisites: Access to create or modify resources · Ability to send malicious emails · User interaction required
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Mitigation, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40378/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92922
Mitigation, Third Party Advisory, VDB Entry x_refsource_confirm
http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539394/100/0/threaded

Scores

CVSS v3 6.1
EPSS 0.0427
EPSS Percentile 89.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
open-xchange/open-xchange_appsuite < 7.8.2
Published Dec 15, 2016
Tracked Since Feb 18, 2026