PT-2013-3293 · Open Xchange · Open-Xchange Server

Published

2013-09-05

Updated

2013-09-26

CVE-2013-1646

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Open-Xchange Server versions prior to 6.20.7 rev14 Open-Xchange Server versions 6.22.0 prior to rev13 Open-Xchange Server versions 6.22.1 prior to rev14

Description The issue allows remote attackers to inject arbitrary web script or HTML via various means, including invalid JSON data in a mail-sending POST request, an arbitrary parameter to servlet/TestServlet, a javascript: URL in a standalone-mode action to a UWA module, an infostore attachment, JavaScript code in a contact image, an RSS feed, or a signature.

Recommendations For Open-Xchange Server versions prior to 6.20.7 rev14, update to version 6.20.7 rev14 or later. For Open-Xchange Server versions 6.22.0 prior to rev13, update to version 6.22.0 rev13 or later. For Open-Xchange Server versions 6.22.1 prior to rev14, update to version 6.22.1 rev14 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2013-1646

Affected Products

Open-Xchange Server

PT-2013-3293 · Open Xchange · Open-Xchange Server

CVE-2013-1646

Weakness Enumeration

Related Identifiers

Affected Products

References · 4