Open Xchange · Open-Xchange Appsuite · CVE-2018-5756
Name of the Vulnerable Software and Affected Versions:
Open-Xchange OX App Suite versions prior to 7.6.3-rev36
Open-Xchange OX App Suite versions 7.8.x prior to 7.8.2-rev39
Open-Xchange OX App Suite versions 7.8.3 prior to 7.8.3-rev44
Open-Xchange OX App Suite versions 7.8.4 prior to 7.8.4-rev22
Description:
The issue allows remote authenticated users to delete arbitrary tasks by exploiting a flaw in the backend component's folder-to-object association check. This can be done via a delete action to the "api/tasks" endpoint, using the `task id` variable.
Recommendations:
For versions prior to 7.6.3-rev36, update to version 7.6.3-rev36 or later.
For versions 7.8.x prior to 7.8.2-rev39, update to version 7.8.2-rev39 or later.
For versions 7.8.3 prior to 7.8.3-rev44, update to version 7.8.3-rev44 or later.
For versions 7.8.4 prior to 7.8.4-rev22, update to version 7.8.4-rev22 or later.