CVE-2016-6854

Published on: 12/15/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:11 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Certain versions of Ox Guard from Open-xchange contain the following vulnerability:

An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

  • CVE-2016-6854 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 6.1 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED LOW LOW NONE

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Open-Xchange Guard 2.4.2 Cross Site Scripting ≈ Packet Storm Exploit
Third Party Advisory
VDB Entry
packetstormsecurity.com
text/html
URL Logo CONFIRM packetstormsecurity.com/files/138701/Open-Xchange-Guard-2.4.2-Cross-Site-Scripting.html
Open-Xchange OX Guard Multiple Cross Site Scripting Vulnerabilities Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 92920
Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting Exploit
Third Party Advisory
VDB Entry
www.exploit-db.com
Proof of Concept
text/html
URL Logo EXPLOIT-DB 40377
SecurityFocus web.archive.org
text/html
Inactive LinkNot Archived
URL Logo BUGTRAQ 20160913 Open-Xchange Security Advisory 2016-09-13 (2)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOpen-xchangeOx GuardAllrev4AllAll
  • cpe:2.3:a:open-xchange:ox_guard:*:rev4:*:*:*:*:*:*: