NVD List

Id Name Description Reject CVSS Version CVSS Score Severity Pub Date Modified Date Actions
21486  CVE-2016-6852  An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks.    4.3  Medium  2017-01-19  2016-12-16  View
19019  CVE-2016-3174  An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks.    4.3  Medium  2017-01-19  2016-12-15  View
19018  CVE-2016-3173  An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user"s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Users actively need to add a file to the portal to enable this attack. In case of shared files however, a internal attacker may modify a previously embedded file to carry a malicious file name. Furthermore this vulnerability can be used to persistently execute code that got injected by a temporary script execution vulnerability.    3.5  Low  2017-01-19  2016-12-16  View
19748  CVE-2016-4028  An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user"s "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker.    3.5  Low  2017-01-19  2016-12-16  View
21487  CVE-2016-6853  An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user"s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).    4.3  Medium  2017-01-19  2016-12-16  View

Page 1172 of 17672, showing 5 records out of 88360 total, starting on record 5856, ending on 5860

<<first 1168 | 1169 | 1170 | 1171 | 1172 | 1173 | 1174 | 1175 | 1176 last>>

Actions