CVE-2016-5124

Name of the Vulnerable Software and Affected Versions Open-Xchange OX App Suite versions prior to 7.8.1-rev14

Description An issue in Open-Xchange OX App Suite allows for script code execution in the context of the active user when adding images from external sources to HTML editors by drag&drop. This can be exploited by tricking a user into using an image from a specially crafted website and adding it to HTML editor areas, such as E-Mail Compose or OX Text. The attack circumvents typical XSS filters and detection mechanisms since the code is injected locally. Malicious script code can be executed within a user's context, leading to session hijacking or triggering unwanted actions via the web interface, such as sending mail or deleting data. This vulnerability requires social-engineering to convince a user to follow specific steps.

Recommendations For versions prior to 7.8.1-rev14, update to version 7.8.1-rev14 or later to resolve the issue. As a temporary workaround, consider restricting the use of external images in HTML editors to minimize the risk of exploitation. Avoid using the drag&drop feature to add images from external sources to HTML editor areas until the issue is resolved.