CVE-2016-6843

Name of the Vulnerable Software and Affected Versions Open-Xchange OX App Suite versions prior to 7.8.2-rev8

Description An issue allows script code to be injected into contact names. When these contacts are added to a group using autocomplete, the script code is executed in the context of the user creating or changing the group, often a user with elevated permissions. This can lead to malicious script code execution within a user's context, potentially resulting in session hijacking or triggering unwanted actions via the web interface, such as sending mail or deleting data.

Recommendations For versions prior to 7.8.2-rev8, update to version 7.8.2-rev8 or later to resolve the issue. As a temporary workaround, consider disabling the autocomplete feature when adding contacts to groups until the update is applied. Restrict access to group management to minimize the risk of exploitation. Avoid using the affected contact management functionality until the issue is resolved.