CVE-2016-2840

Name of the Vulnerable Software and Affected Versions Open-Xchange Server 6 / OX AppSuite versions prior to 7.8.0-rev26

Description An issue was discovered where the session parameter for file-download requests can be used to inject script code, which gets reflected through the subsequent status page, allowing malicious script code to be executed within a trusted domain's context. This can be exploited without authentication and used for social engineering attacks, stealing cookies, or redirecting from trustworthy to malicious hosts.

Recommendations For Open-Xchange Server 6 / OX AppSuite versions prior to 7.8.0-rev26, update to version 7.8.0-rev26 or later to resolve the issue. As a temporary workaround, consider restricting access to the file-download requests to minimize the risk of exploitation.