CVE-2015-8542

Name of the Vulnerable Software and Affected Versions Open-Xchange Guard versions prior to 2.2.0-rev8

Description An issue in Open-Xchange Guard allows attackers to download PGP Private Keys of other users by exploiting the "getprivkeybyid" API call. This is possible when two users have the same password, and an attacker can iterate through the "id" and "cid" parameters, which are sequential and easier to predict than login names. Attackers can also brute-force login credentials or use commonly used weak passwords to fetch Private Keys of matching accounts. Both internal users and external "guests" using the external mail reader can execute this attack.

Recommendations For versions prior to 2.2.0-rev8, update to version 2.2.0-rev8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "getprivkeybyid" API call or implementing additional authentication measures to prevent unauthorized access to PGP Private Keys. Avoid using weak or commonly used passwords for OX Guard accounts to minimize the risk of exploitation.