CVE-2013-7140

Name of the Vulnerable Software and Affected Versions Open-Xchange (OX) AppSuite versions 7.4.1 and earlier

Description The issue is related to an XML External Entity (XXE) vulnerability in the CalDAV interface. This allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. It is noted that this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks.

Recommendations For Open-Xchange (OX) AppSuite versions 7.4.1 and earlier, consider disabling the CalDAV interface as a temporary workaround until a patch is available. Restrict access to the WebDAV interface to minimize the risk of exploitation. Avoid using the SAX builder in the CalDAV interface until the issue is resolved.