An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/93457 | Third Party Advisory VDB Entry |
https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2016-12-15T06:31:00
Updated: 2016-12-26T00:57:01
Reserved: 2016-08-18T00:00:00
Link: CVE-2016-6844
JSON object: View
NVD Information
Status : Analyzed
Published: 2016-12-15T06:59:17.207
Modified: 2016-12-16T18:30:49.280
Link: CVE-2016-6844
JSON object: View
Redhat Information
No data.
CWE