Vulnerability Details CVE-2016-5740
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 35.4%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html
- http://www.securityfocus.com/archive/1/539394/100/0/threaded
- http://www.securityfocus.com/bid/92922
- https://www.exploit-db.com/exploits/40378/
- http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html
- http://www.securityfocus.com/archive/1/539394/100/0/threaded
- http://www.securityfocus.com/bid/92922
- https://www.exploit-db.com/exploits/40378/
Products affected by CVE-2016-5740
-
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.8.2