CVE-2013-1648

Name of the Vulnerable Software and Affected Versions Open-Xchange Server versions prior to 6.20.7 rev14 Open-Xchange Server versions 6.22.0 prior to rev13 Open-Xchange Server versions 6.22.1 prior to rev14

Description The issue is related to a "Server-side request forging (SSRF)" problem, where the Subscriptions feature does not properly validate the publication-source URL. This allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field. Examples of exploitation include using ftp:, gopher:, or http://127.0.0.1/ URLs.

Recommendations For Open-Xchange Server versions prior to 6.20.7 rev14, update to version 6.20.7 rev14 or later. For Open-Xchange Server versions 6.22.0 prior to rev13, update to version 6.22.0 rev13 or later. For Open-Xchange Server versions 6.22.1 prior to rev14, update to version 6.22.1 rev14 or later.