CVE-2018-9998

MEDIUM

Open-Xchange App Suite Information Disclosure via Task API Folder Parameter

Title source: llm
STIX 2.1

Description

Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041213
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Jul/12

Scores

CVSS v3 6.5
EPSS 0.0038
EPSS Percentile 59.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (4)
open-xchange/open-xchange_appsuite 7.6.3 rev14 (19 CPE variants)
open-xchange/open-xchange_appsuite 7.8.0
open-xchange/open-xchange_appsuite 7.8.2
open-xchange/open-xchange_appsuite 7.8.3 (29 CPE variants)
Published Jul 05, 2018
Tracked Since Feb 18, 2026