CVE-2016-3173

Name of the Vulnerable Software and Affected Versions Open-Xchange OX AppSuite versions prior to 7.8.0-rev27

Description An issue in Open-Xchange OX AppSuite allows the aria-label parameter of tiles at the Portal to be used for script code injection. This occurs when the name of a displayed file, such as an image, is used in the label and contains script code. As a result, malicious script code can be executed within a user's context, potentially leading to session hijacking or unwanted actions like sending mail or deleting data. This can happen if a user actively adds a malicious file to the portal or if an internal attacker modifies a shared file to include a malicious file name. The vulnerability can also be used to persistently execute injected code from a temporary script execution vulnerability.

Recommendations For versions prior to 7.8.0-rev27, update to version 7.8.0-rev27 or later to resolve the issue. As a temporary workaround, consider restricting the ability for users to add files to the portal and monitor shared files for any modifications that could indicate malicious activity. Avoid using potentially malicious file names that could lead to script execution.