CVE-2016-3174 - An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers t

CVE-2016-3174

Summary

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks.

References

Vulnerable Configurations

cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev-26:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev-26:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 19-10-2018 - 15:46)
Impact:
Exploitability:

CWE

CWE-601

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

refmap via4

bugtraq	20160525 Open-Xchange Security Advisory 2016-05-25
confirm	http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html

Last major update

19-10-2018 - 15:46

Published

15-12-2016 - 06:59

Last modified

19-10-2018 - 15:46