CVE-2016-6850
Published on: 12/15/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:11 PM UTC
Certain versions of Open-xchange Appsuite from Open-xchange contain the following vulnerability:
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
- CVE-2016-6850 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 6.1 - MEDIUM
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
|---|---|---|---|---|
| NETWORK | LOW | NONE | REQUIRED | |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
| CHANGED | LOW | LOW | NONE |
CVSS2 Score: 4.3 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | MEDIUM | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| NONE | PARTIAL | NONE |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Open-Xchange AppSuite Multiple Cross Site Scripting Vulnerabilities | Third Party Advisory VDB Entry cve.report (archive) text/html |
BID 93457 |
| Release Notes Vendor Advisory software.open-xchange.com application/pdf |
CONFIRM software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf |
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Open-xchange | Open-xchange Appsuite | All | rev4 | All | All |
- cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev4:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE