CVE-2016-5740
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
15/12/2016
Last modified:
12/04/2025
Description
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev4:*:*:*:*:*:* | 7.8.2 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html
- http://www.securityfocus.com/archive/1/539394/100/0/threaded
- http://www.securityfocus.com/bid/92922
- https://www.exploit-db.com/exploits/40378/
- http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html
- http://www.securityfocus.com/archive/1/539394/100/0/threaded
- http://www.securityfocus.com/bid/92922
- https://www.exploit-db.com/exploits/40378/