CVE-2016-4027
Published on: 12/15/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:26:58 PM UTC
Certain versions of Open-xchange Appsuite from Open-xchange contain the following vulnerability:
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account.
- CVE-2016-4027 has been assigned by
[email protected] to track the vulnerability - currently rated as LOW severity.
CVSS3 Score: 3.5 - LOW
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | LOW | LOW | REQUIRED | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
UNCHANGED | LOW | NONE | NONE |
CVSS2 Score: 3.5 - LOW
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Open-Xchange App Suite 7.8.1 Information Disclosure ≈ Packet Storm | Third Party Advisory VDB Entry packetstormsecurity.com text/html |
![]() |
Open-Xchange App Suite Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information, Conduct Cross-Site Scripting and Server-Side Request Forgery Attacks, Spoof Content, and Deny Service - SecurityTracker | Third Party Advisory VDB Entry www.securitytracker.com text/html |
![]() |
SecurityFocus | www.securityfocus.com text/html |
![]() |
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Open-xchange | Open-xchange Appsuite | All | rev9 | All | All |
- cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev9:*:*:*:*:*:*: