An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/93457 | Third Party Advisory VDB Entry |
https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2016-12-15T06:31:00
Updated: 2016-12-26T00:57:01
Reserved: 2016-08-18T00:00:00
Link: CVE-2016-6842
JSON object: View
NVD Information
Status : Analyzed
Published: 2016-12-15T06:59:15.270
Modified: 2016-12-16T18:41:54.860
Link: CVE-2016-6842
JSON object: View
Redhat Information
No data.
CWE