CVE-2016-3174

Published on: 12/15/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:02 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Certain versions of Open-xchange Appsuite from Open-xchange contain the following vulnerability:

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks.

  • CVE-2016-3174 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.4 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED NONE HIGH NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Open-Xchange OX AppSuite 7.8.0 XSS / Open Redirect ≈ Packet Storm Third Party Advisory
VDB Entry
packetstormsecurity.com
text/html
URL Logo CONFIRM packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html
SecurityFocus web.archive.org
text/html
Inactive LinkNot Archived
URL Logo BUGTRAQ 20160525 Open-Xchange Security Advisory 2016-05-25

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOpen-xchangeOpen-xchange AppsuiteAllrev-26AllAll
  • cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev-26:*:*:*:*:*:*: