CVE-2016-6853

Name of the Vulnerable Software and Affected Versions Open-Xchange OX Guard versions prior to 2.4.2-rev5

Description An issue allows script code and references to external websites to be injected into the names of PGP public keys. When a user requests the key later using a specific URL, the injected script code might be executed, potentially leading to session hijacking or triggering unwanted actions via the web interface, such as sending mail or deleting data. This could also lure users into a phishing scheme, allowing malicious script code to be executed within a user's context.

Recommendations For Open-Xchange OX Guard versions prior to 2.4.2-rev5, update to version 2.4.2-rev5 or later to resolve the issue. As a temporary workaround, consider restricting access to the PGP public key management interface to minimize the risk of exploitation. Avoid using the vulnerable key management functionality until the issue is resolved.