CVE-2018-9998

Name of the Vulnerable Software and Affected Versions Open-Xchange OX App Suite versions prior to 7.6.3-rev37 Open-Xchange OX App Suite versions 7.8.x prior to 7.8.2-rev40 Open-Xchange OX App Suite version 7.8.3 prior to 7.8.3-rev48 Open-Xchange OX App Suite version 7.8.4 prior to 7.8.4-rev28

Description The issue allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to the "api/tasks" API endpoint. This occurs because folder names are included in API error responses.

Recommendations For Open-Xchange OX App Suite versions prior to 7.6.3-rev37, update to version 7.6.3-rev37 or later. For Open-Xchange OX App Suite versions 7.8.x prior to 7.8.2-rev40, update to version 7.8.2-rev40 or later. For Open-Xchange OX App Suite version 7.8.3 prior to 7.8.3-rev48, update to version 7.8.3-rev48 or later. For Open-Xchange OX App Suite version 7.8.4 prior to 7.8.4-rev28, update to version 7.8.4-rev28 or later.