PT-2013-3298 · Open Xchange · Open-Xchange Server

Published

2013-09-05

·

Updated

2014-03-05

·

CVE-2013-1651

CVSS v2.0

5.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions Open-Xchange Server versions prior to 6.20.7 rev14 Open-Xchange Server versions 6.22.0 prior to rev13 Open-Xchange Server versions 6.22.1 prior to rev14
Description The issue allows man-in-the-middle attackers to spoof update servers and install arbitrary software via a crafted certificate, due to the failure of OXUpdater to verify X.509 certificates from SSL servers.
Recommendations For Open-Xchange Server versions prior to 6.20.7 rev14, update to version 6.20.7 rev14 or later. For Open-Xchange Server versions 6.22.0 prior to rev13, update to version 6.22.0 rev13 or later. For Open-Xchange Server versions 6.22.1 prior to rev14, update to version 6.22.1 rev14 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CVE-2013-1651

Affected Products

Open-Xchange Server