Vulnerabilites related to open-xchange - ox_guard
cve-2016-6851
Vulnerability from cvelistv5
Published
2016-12-15 06:31
Modified
2024-08-06 01:43
Severity ?
EPSS score ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/92920 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/40377/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/539395/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92920",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "92920",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6851",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92920",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92920"
},
{
"name": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html",
"refsource": "CONFIRM",
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6851",
"datePublished": "2016-12-15T06:31:00",
"dateReserved": "2016-08-18T00:00:00",
"dateUpdated": "2024-08-06T01:43:37.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6854
Vulnerability from cvelistv5
Published
2016-12-15 06:31
Modified
2024-08-06 01:43
Severity ?
EPSS score ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/92920 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/40377/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/539395/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:38.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92920",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "92920",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6854",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92920",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92920"
},
{
"name": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html",
"refsource": "CONFIRM",
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6854",
"datePublished": "2016-12-15T06:31:00",
"dateReserved": "2016-08-18T00:00:00",
"dateUpdated": "2024-08-06T01:43:38.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-9426
Vulnerability from cvelistv5
Published
2020-06-15 14:55
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
OX Guard 2.10.3 and earlier allows XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.open-xchange.com/ | x_refsource_MISC | |
| https://seclists.org/fulldisclosure/2020/Jun/20 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.open-xchange.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.10.3 and earlier allows XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-15T18:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.open-xchange.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-9426",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OX Guard 2.10.3 and earlier allows XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.open-xchange.com/",
"refsource": "MISC",
"url": "https://www.open-xchange.com/"
},
{
"name": "https://seclists.org/fulldisclosure/2020/Jun/20",
"refsource": "MISC",
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"name": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-9426",
"datePublished": "2020-06-15T14:55:16",
"dateReserved": "2020-02-27T00:00:00",
"dateUpdated": "2024-08-04T10:26:16.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-4028
Vulnerability from cvelistv5
Published
2016-12-15 06:31
Modified
2024-08-06 00:17
Severity ?
EPSS score ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user's "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1036154 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/archive/1/538732/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:17:30.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1036154",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036154"
},
{
"name": "20160622 Open-Xchange Security Advisory 2016-06-22",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/538732/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users\u0027 credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user\u0027s \"OxReaderID\" cookie and the value of the \"auth\" parameter needs to be known to the attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1036154",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1036154"
},
{
"name": "20160622 Open-Xchange Security Advisory 2016-06-22",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/538732/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-4028",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users\u0027 credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user\u0027s \"OxReaderID\" cookie and the value of the \"auth\" parameter needs to be known to the attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1036154",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1036154"
},
{
"name": "20160622 Open-Xchange Security Advisory 2016-06-22",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/538732/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-4028",
"datePublished": "2016-12-15T06:31:00",
"dateReserved": "2016-04-15T00:00:00",
"dateUpdated": "2024-08-06T00:17:30.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-6853
Vulnerability from cvelistv5
Published
2016-12-15 06:31
Modified
2024-08-06 01:43
Severity ?
EPSS score ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/92920 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/40377/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/archive/1/539395/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:38.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92920",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "92920",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6853",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92920",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92920"
},
{
"name": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html",
"refsource": "CONFIRM",
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"name": "40377",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"name": "20160913 Open-Xchange Security Advisory 2016-09-13 (2)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6853",
"datePublished": "2016-12-15T06:31:00",
"dateReserved": "2016-08-18T00:00:00",
"dateUpdated": "2024-08-06T01:43:38.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-10986
Vulnerability from cvelistv5
Published
2019-07-03 16:08
Modified
2024-08-05 07:54
Severity ?
EPSS score ?
Summary
OX Guard 2.8.0 has CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:54:36.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.8.0 has CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-03T16:08:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10986",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OX Guard 2.8.0 has CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf",
"refsource": "CONFIRM",
"url": "http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10986",
"datePublished": "2019-07-03T16:08:33",
"dateReserved": "2018-05-11T00:00:00",
"dateUpdated": "2024-08-05T07:54:36.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-9427
Vulnerability from cvelistv5
Published
2020-06-15 14:52
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
OX Guard 2.10.3 and earlier allows SSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.open-xchange.com/ | x_refsource_MISC | |
| https://seclists.org/fulldisclosure/2020/Jun/20 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.open-xchange.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.10.3 and earlier allows SSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-15T18:06:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.open-xchange.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-9427",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OX Guard 2.10.3 and earlier allows SSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.open-xchange.com/",
"refsource": "MISC",
"url": "https://www.open-xchange.com/"
},
{
"name": "https://seclists.org/fulldisclosure/2020/Jun/20",
"refsource": "MISC",
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"name": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-9427",
"datePublished": "2020-06-15T14:52:22",
"dateReserved": "2020-02-27T00:00:00",
"dateUpdated": "2024-08-04T10:26:16.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7385
Vulnerability from cvelistv5
Published
2015-11-19 20:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in "Guard PGP Settings."
References
| ▼ | URL | Tags |
|---|---|---|
| http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf | x_refsource_CONFIRM | |
| http://www.securityfocus.com/archive/1/536923/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securitytracker.com/id/1034166 | vdb-entry, x_refsource_SECTRACK | |
| http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:27.327Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf"
},
{
"name": "20151117 Open-Xchange Security Advisory 2015-11-17",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536923/100/0/threaded"
},
{
"name": "1034166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034166"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in \"Guard PGP Settings.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf"
},
{
"name": "20151117 Open-Xchange Security Advisory 2015-11-17",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536923/100/0/threaded"
},
{
"name": "1034166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034166"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7385",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in \"Guard PGP Settings.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf",
"refsource": "CONFIRM",
"url": "http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf"
},
{
"name": "20151117 Open-Xchange Security Advisory 2015-11-17",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536923/100/0/threaded"
},
{
"name": "1034166",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034166"
},
{
"name": "http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7385",
"datePublished": "2015-11-19T20:00:00",
"dateReserved": "2015-09-28T00:00:00",
"dateUpdated": "2024-08-06T07:51:27.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-8542
Vulnerability from cvelistv5
Published
2016-12-15 06:31
Modified
2024-08-06 08:20
Severity ?
EPSS score ?
Summary
An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. In case a user has set the same password as another user, it is possible to download another user's PGP Private Key by iterating the "id" and "cid" parameters. This kind of attack would also be able by brute-forcing login credentials, but since the "id" and "cid" parameters are sequential they are much easier to predict than a user's login name. At the same time, there are some obvious insecure standard passwords that are widely used. A attacker could send the hashed representation of typically weak passwords and randomly fetch Private Key of matching accounts. The attack can be executed by both internal users and "guests" which use the external mail reader.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/537678/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securitytracker.com/id/1035174 | vdb-entry, x_refsource_SECTRACK | |
| http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:20:43.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160302 Open-Xchange Security Advisory 2016-03-02",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537678/100/0/threaded"
},
{
"name": "1035174",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035174"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The \"getprivkeybyid\" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the \"id\" and \"cid\" parameter to specify the current user by its user- and context-ID. The \"auth\" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. In case a user has set the same password as another user, it is possible to download another user\u0027s PGP Private Key by iterating the \"id\" and \"cid\" parameters. This kind of attack would also be able by brute-forcing login credentials, but since the \"id\" and \"cid\" parameters are sequential they are much easier to predict than a user\u0027s login name. At the same time, there are some obvious insecure standard passwords that are widely used. A attacker could send the hashed representation of typically weak passwords and randomly fetch Private Key of matching accounts. The attack can be executed by both internal users and \"guests\" which use the external mail reader."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160302 Open-Xchange Security Advisory 2016-03-02",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537678/100/0/threaded"
},
{
"name": "1035174",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035174"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8542",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The \"getprivkeybyid\" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the \"id\" and \"cid\" parameter to specify the current user by its user- and context-ID. The \"auth\" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. In case a user has set the same password as another user, it is possible to download another user\u0027s PGP Private Key by iterating the \"id\" and \"cid\" parameters. This kind of attack would also be able by brute-forcing login credentials, but since the \"id\" and \"cid\" parameters are sequential they are much easier to predict than a user\u0027s login name. At the same time, there are some obvious insecure standard passwords that are widely used. A attacker could send the hashed representation of typically weak passwords and randomly fetch Private Key of matching accounts. The attack can be executed by both internal users and \"guests\" which use the external mail reader."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160302 Open-Xchange Security Advisory 2016-03-02",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537678/100/0/threaded"
},
{
"name": "1035174",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035174"
},
{
"name": "http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html",
"refsource": "CONFIRM",
"url": "http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8542",
"datePublished": "2016-12-15T06:31:00",
"dateReserved": "2015-12-11T00:00:00",
"dateUpdated": "2024-08-06T08:20:43.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28944
Vulnerability from cvelistv5
Published
2021-04-30 21:06
Modified
2024-08-04 16:48
Severity ?
EPSS score ?
Summary
OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://open-xchange.com | x_refsource_MISC | |
| http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:00.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://open-xchange.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-30T21:06:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://open-xchange.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28944",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://open-xchange.com",
"refsource": "MISC",
"url": "https://open-xchange.com"
},
{
"name": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28944",
"datePublished": "2021-04-30T21:06:19",
"dateReserved": "2020-11-19T00:00:00",
"dateUpdated": "2024-08-04T16:48:00.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-26456
Vulnerability from cvelistv5
Published
2023-11-02 13:01
Modified
2024-12-03 14:35
Severity ?
EPSS score ?
Summary
Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OX Software GmbH | OX App Suite |
Version: 0 ≤ 2.10.7-rev6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:52.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-19T17:21:33.807464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T14:35:08.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"guard"
],
"product": "OX App Suite",
"vendor": "OX Software GmbH",
"versions": [
{
"lessThanOrEqual": "2.10.7-rev6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers were able to set an arbitrary \u0026quot;product name\u0026quot; for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.\u003c/p\u003e"
}
],
"value": "Users were able to set an arbitrary \"product name\" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T07:09:35.360Z",
"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"shortName": "OX"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json"
}
],
"source": {
"defect": [
"GUARD-440"
],
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"assignerShortName": "OX",
"cveId": "CVE-2023-26456",
"datePublished": "2023-11-02T13:01:24.351Z",
"dateReserved": "2023-02-22T20:42:56.092Z",
"dateUpdated": "2024-12-03T14:35:08.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2015-11-19 20:59
Modified
2024-11-21 02:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in "Guard PGP Settings."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:rev6:*:*:*:*:*:*",
"matchCriteriaId": "DB431193-92E2-4F62-A831-906BE6F9EE61",
"versionEndIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in \"Guard PGP Settings.\""
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Open-Xchange OX Guard en versiones anteriores a 2.0.0-rev11 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de el campo uid en una clave p\u00fablica PGP, lo que no es manejado adecuadamente en \u0027Guard PGP Settings.\u0027"
}
],
"id": "CVE-2015-7385",
"lastModified": "2024-11-21T02:36:41.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-11-19T20:59:04.080",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536923/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1034166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://software.open-xchange.com/products/guard/doc/Release_Notes_for_Patch_Release_2777_2.0.0_2015-09-30.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536923/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1034166"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-15 06:59
Modified
2024-11-21 02:56
Severity ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/539395/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/bid/92920 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.exploit-db.com/exploits/40377/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/539395/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92920 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/40377/ | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:rev4:*:*:*:*:*:*",
"matchCriteriaId": "F43BE968-3616-49FA-94B6-24BBF098F093",
"versionEndIncluding": "2.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)."
},
{
"lang": "es",
"value": "Ha sido descubierto un problema en Open-Xchange OX Guard en versiones anteriores a 2.4.2-rev5. Un c\u00f3digo de script y las referencias a sitios web externos pueden ser inyectados a los nombres de las claves p\u00fablicas de PGP. Al solicitar esa clave m\u00e1s adelante usando una URL espec\u00edfica, ese c\u00f3digo script podr\u00eda ser ejecutado. En caso de inyectar sitios web externos, los usuarios pueden ser llevados a un esquema de phishing. El c\u00f3digo script malicioso puede ser ejecutado en un contexto de usuario. Esto puede conducir al secuestro de sesi\u00f3n o activar acciones no deseadas a trav\u00e9s de la interfaz web (env\u00edo de correo, eliminaci\u00f3n de datos, etc.)."
}
],
"id": "CVE-2016-6853",
"lastModified": "2024-11-21T02:56:57.957",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-15T06:59:24.580",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40377/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-15 15:15
Modified
2024-11-21 05:40
Severity ?
Summary
OX Guard 2.10.3 and earlier allows XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2020/Jun/20 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.open-xchange.com/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2020/Jun/20 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.open-xchange.com/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | 2.10.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "502D82AB-2A24-446D-92BE-64B17CE00521",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.10.3 and earlier allows XSS."
},
{
"lang": "es",
"value": "OX Guard versiones 2.10.3 y anteriores, permiten un ataque de tipo XSS"
}
],
"id": "CVE-2020-9426",
"lastModified": "2024-11-21T05:40:36.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-15T15:15:09.770",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.open-xchange.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.open-xchange.com/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-15 06:59
Modified
2024-11-21 02:56
Severity ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/539395/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/bid/92920 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.exploit-db.com/exploits/40377/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/539395/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92920 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/40377/ | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:rev4:*:*:*:*:*:*",
"matchCriteriaId": "F43BE968-3616-49FA-94B6-24BBF098F093",
"versionEndIncluding": "2.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already."
},
{
"lang": "es",
"value": "Ha sido descubierto un problema en Open-Xchange OX Guard en versiones anteriores a 2.4.2-rev5. C\u00f3digo script puede ser usado como par\u00e1metro para la aplicaci\u00f3n web de lectura hu\u00e9sped OX Guard. Esto permite ataques de XSS contra usuarios arbitrarios debido a que ninguna autenticaci\u00f3n previa es necesaria. El c\u00f3digo script malicioso puede ser ejecutado en un contexto de usuario. Esto puede conducir al secuestro de sesi\u00f3n o desencadenar acciones no deseadas a trav\u00e9s de la interfaz web (env\u00edo de correo, eliminaci\u00f3n de datos, etc.) en caso de que el usuario tenga una sesi\u00f3n activa en el mismo dominio a la vez."
}
],
"id": "CVE-2016-6851",
"lastModified": "2024-11-21T02:56:57.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-15T06:59:22.580",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40377/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-02 14:15
Modified
2024-11-21 07:51
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * | |
| open-xchange | ox_guard | 2.10.7 | |
| open-xchange | ox_guard | 2.10.7 | |
| open-xchange | ox_guard | 2.10.7 | |
| open-xchange | ox_guard | 2.10.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6664DDB-A2AF-4052-B94F-007AA6C39F24",
"versionEndExcluding": "2.10.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.10.7:-:*:*:*:*:*:*",
"matchCriteriaId": "5C7C4678-E325-45CE-BE47-E30E1536642C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.10.7:rev4:*:*:*:*:*:*",
"matchCriteriaId": "0443570E-ABA7-4F23-9B5C-B6FD78D7A318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.10.7:rev5:*:*:*:*:*:*",
"matchCriteriaId": "83773F6B-A937-4194-B194-DA1FDADC7CFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.10.7:rev6:*:*:*:*:*:*",
"matchCriteriaId": "B5A11B45-E1B5-4C50-B7D0-8BF965103866",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Users were able to set an arbitrary \"product name\" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.\n\n"
},
{
"lang": "es",
"value": "Los usuarios pudieron establecer un \"nombre de producto\" arbitrario para OX Guard. El valor elegido no se sanitizo lo suficiente antes de procesarlo en la interfaz de usuario, lo que permiti\u00f3 ataques indirectos de Cross Site Scripting. Las cuentas que fueron tomadas temporalmente podr\u00edan configurarse para desencadenar la ejecuci\u00f3n de c\u00f3digo persistente, lo que permitir\u00eda a un atacante establecerse. La sanitizaci\u00f3n ya est\u00e1 implementada para los nombres de los productos. No se conocen exploits disponibles p\u00fablicamente."
}
],
"id": "CVE-2023-26456",
"lastModified": "2024-11-21T07:51:30.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@open-xchange.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-02T14:15:10.940",
"references": [
{
"source": "security@open-xchange.com",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json"
},
{
"source": "security@open-xchange.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf"
}
],
"sourceIdentifier": "security@open-xchange.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@open-xchange.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-30 22:15
Modified
2024-11-21 05:23
Severity ?
Summary
OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://open-xchange.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://open-xchange.com | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC0FA773-410E-47AA-A395-94DB69CB6EC8",
"versionEndIncluding": "2.10.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data."
},
{
"lang": "es",
"value": "OX Guard vesiones 2.10.4 y anteriores permiten una Denegaci\u00f3n de Servicio por medio de un servidor WKS que responde lentamente o con una gran cantidad de datos."
}
],
"id": "CVE-2020-28944",
"lastModified": "2024-11-21T05:23:20.893",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-30T22:15:07.623",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://open-xchange.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://open-xchange.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-15 06:59
Modified
2024-11-21 02:38
Severity ?
Summary
An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. In case a user has set the same password as another user, it is possible to download another user's PGP Private Key by iterating the "id" and "cid" parameters. This kind of attack would also be able by brute-forcing login credentials, but since the "id" and "cid" parameters are sequential they are much easier to predict than a user's login name. At the same time, there are some obvious insecure standard passwords that are widely used. A attacker could send the hashed representation of typically weak passwords and randomly fetch Private Key of matching accounts. The attack can be executed by both internal users and "guests" which use the external mail reader.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/537678/100/0/threaded | ||
| cve@mitre.org | http://www.securitytracker.com/id/1035174 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/537678/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1035174 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44E60610-A117-4D3C-9115-5AA6879877D7",
"versionEndIncluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The \"getprivkeybyid\" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the \"id\" and \"cid\" parameter to specify the current user by its user- and context-ID. The \"auth\" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. In case a user has set the same password as another user, it is possible to download another user\u0027s PGP Private Key by iterating the \"id\" and \"cid\" parameters. This kind of attack would also be able by brute-forcing login credentials, but since the \"id\" and \"cid\" parameters are sequential they are much easier to predict than a user\u0027s login name. At the same time, there are some obvious insecure standard passwords that are widely used. A attacker could send the hashed representation of typically weak passwords and randomly fetch Private Key of matching accounts. The attack can be executed by both internal users and \"guests\" which use the external mail reader."
},
{
"lang": "es",
"value": "Ha sido descubierto un problema en Open-Xchange Guard en versiones anteriores a 2.2.0-rev8. La llamada API \"getprivkeybyid\" es empleada para descargar Clave Privada PGP para un usuario espec\u00edfico tras proveer credenciales de autenticaci\u00f3n. Los clientes proveen el par\u00e1metro \"id\" y \"cid\" para especificar el usuario actual mediante su ID -y contexto-. El par\u00e1metro \"auth\" contiene cadena de contrase\u00f1a hash que es creada por el cliente solicitando al usuario que introduzca su contrase\u00f1a OX Guard. Este par\u00e1metro es utilizado como un \u00fanico punto de autenticaci\u00f3n al acceder a Claves Privadas PGP. En caso de que un usuario haya establecido la misma contrase\u00f1a que otro usuario, es posible descargar la Clave Privada PGP de otro usuario por interaci\u00f3n de los par\u00e1metros \"id\" y \"cid\". Este tipo de ataque podr\u00eda ser tambi\u00e9n posible forzando credenciales de inicio de sesi\u00f3n, pero dado que los par\u00e1metros \"id\" y \"cid\" son secuenciales, son mucho m\u00e1s f\u00e1ciles de predecir que el nombre de inicio de sesi\u00f3n de un usuario. Al mismo tiempo, hay algunas contrase\u00f1as est\u00e1ndar inseguras obvias que son ampliamente utilizadas. Un atacante podr\u00eda enviar la representaci\u00f3n hash de las contrase\u00f1as t\u00edpicamente d\u00e9biles y buscar aleatoriamente la Clave Privada de las cuentas coincidentes. El ataque puede ser ejecutado tanto por usuarios internos como por \"invitados\" que utilizan el lector de correo externo."
}
],
"id": "CVE-2015-8542",
"lastModified": "2024-11-21T02:38:41.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-15T06:59:00.130",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537678/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1035174"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537678/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1035174"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-320"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-15 06:59
Modified
2024-11-21 02:56
Severity ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/539395/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/bid/92920 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.exploit-db.com/exploits/40377/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/539395/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92920 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/40377/ | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:rev4:*:*:*:*:*:*",
"matchCriteriaId": "F43BE968-3616-49FA-94B6-24BBF098F093",
"versionEndIncluding": "2.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user\u0027s context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.)."
},
{
"lang": "es",
"value": "Ha sido descubierto un problema en Open-Xchange OX Guard en versiones anteriores a 2.4.2-rev5. Un c\u00f3digo script que ha sido inyectado en un mail con la firma PGP es ejecutado cuando se verifica la firma. El c\u00f3digo script malicioso puede ser ejecutado en un contexto de usuario. Esto puede conducir al secuestro de sesi\u00f3n o activar acciones no deseadas a trav\u00e9s de la interfaz web (env\u00edo de correo, eliminaci\u00f3n de datos, etc.)."
}
],
"id": "CVE-2016-6854",
"lastModified": "2024-11-21T02:56:58.107",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-15T06:59:25.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40377/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539395/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92920"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40377/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-15 06:59
Modified
2024-11-21 02:51
Severity ?
Summary
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user's "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:*:rev7:*:*:*:*:*:*",
"matchCriteriaId": "C53D52F6-DBFF-4FCF-9EB7-B7537A32EFD5",
"versionEndIncluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users\u0027 credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user\u0027s \"OxReaderID\" cookie and the value of the \"auth\" parameter needs to be known to the attacker."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en OX Guard de Open-Xchange anterior a versi\u00f3n 2.4.0-rev8. OX Guard utiliza un token de autenticaci\u00f3n para identificar y transferir las credenciales de usuarios invitados. La API de OX Guard act\u00faa como un or\u00e1culo de relleno (padding oracle) al responder con diferentes c\u00f3digos de error dependiendo de si el token provisto coincide con el cifrado de relleno (encryption padding). En combinaci\u00f3n con AES-CBC, esto permite a los atacantes adivinar el relleno correcto. Los atacantes pueden ejecutar ataques violentos en el contenido del token de autenticaci\u00f3n del invitado y detectar las credenciales del usuario. Para un vector de ataque pr\u00e1ctico, los usuarios invitados necesitan haber iniciado sesi\u00f3n, el contenido de la cookie \"OxReaderID\" del usuario invitado y el valor del par\u00e1metro \"auth\" deben ser conocidos por el atacante."
}
],
"id": "CVE-2016-4028",
"lastModified": "2024-11-21T02:51:11.733",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-15T06:59:07.457",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/538732/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1036154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/538732/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1036154"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-03 17:15
Modified
2024-11-21 03:42
Severity ?
Summary
OX Guard 2.8.0 has CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | 2.8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB73190C-F230-4F77-B71E-4BCA51250035",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.8.0 has CSRF."
},
{
"lang": "es",
"value": "OX Guard en la versi\u00f3n 2.8.0 tiene Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2018-10986",
"lastModified": "2024-11-21T03:42:26.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-03T17:15:09.893",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://software.open-xchange.com/products/guard/doc/OX_Guard_Release_Notes_for_Release_2.10.0_2018-07-04.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-15 15:15
Modified
2024-11-21 05:40
Severity ?
Summary
OX Guard 2.10.3 and earlier allows SSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2020/Jun/20 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.open-xchange.com/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2020/Jun/20 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.open-xchange.com/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| open-xchange | ox_guard | 2.10.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open-xchange:ox_guard:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "502D82AB-2A24-446D-92BE-64B17CE00521",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OX Guard 2.10.3 and earlier allows SSRF."
},
{
"lang": "es",
"value": "OX Guard versiones 2.10.3 y anteriores, permiten un ataque de tipo SSRF"
}
],
"id": "CVE-2020-9427",
"lastModified": "2024-11-21T05:40:37.003",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-15T15:15:09.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.open-xchange.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158069/OX-Guard-2.10.3-Cross-Site-Scripting-Server-Side-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2020/Jun/20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.open-xchange.com/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}