PT-2013-3294 · Open Xchange · Open-Xchange Server

Published

2013-09-05

Updated

2013-09-26

CVE-2013-1647

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Open-Xchange Server versions prior to 6.20.7 rev14 Open-Xchange Server versions 6.22.0 prior to rev13 Open-Xchange Server versions 6.22.1 prior to rev14

Description The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter. This can be demonstrated by exploiting the location parameter to /ajax/redirect or multiple infostore URIs.

Recommendations For Open-Xchange Server versions prior to 6.20.7 rev14, update to version 6.20.7 rev14 or later. For Open-Xchange Server versions 6.22.0 prior to rev13, update to version 6.22.0 rev13 or later. For Open-Xchange Server versions 6.22.1 prior to rev14, update to version 6.22.1 rev14 or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2013-1647

Affected Products

Open-Xchange Server

PT-2013-3294 · Open Xchange · Open-Xchange Server

CVE-2013-1647

Weakness Enumeration

Related Identifiers

Affected Products

References · 4