CVE-2016-6850

Name of the Vulnerable Software and Affected Versions Open-Xchange OX App Suite versions prior to 7.8.2-rev8

Description An issue allows SVG files to be used as profile pictures, potentially leading to the execution of malicious script code within a user's context. This can occur when the XML structure of the SVG file contains iframes and script code, which may be executed when the related picture URL is called or the person's image is viewed within a browser. As a result, malicious script code can be executed, potentially leading to session hijacking or triggering unwanted actions via the web interface, such as sending mail or deleting data.

Recommendations For Open-Xchange OX App Suite versions prior to 7.8.2-rev8, update to version 7.8.2-rev8 or later to resolve the issue. As a temporary workaround, consider restricting the use of SVG files as profile pictures until the update is applied.