CVE-2016-6842: XSS
First published: Thu Dec 15 2016(Updated: )
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Open-Xchange App Suite Backend | <=7.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-6842?
CVE-2016-6842 is classified as a medium severity vulnerability due to the potential for executing malicious JavaScript code.
How do I fix CVE-2016-6842?
To remediate CVE-2016-6842, upgrade Open-Xchange OX App Suite to version 7.8.2-rev8 or later.
What platforms are affected by CVE-2016-6842?
CVE-2016-6842 affects Open-Xchange App Suite versions prior to 7.8.2-rev8.
Can CVE-2016-6842 be exploited remotely?
Yes, CVE-2016-6842 can be exploited remotely if the malicious folder is shared with the victim.
What kind of attack is enabled by CVE-2016-6842?
CVE-2016-6842 allows for cross-site scripting (XSS) attacks by executing arbitrary JavaScript code.
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/open-xchange
- canonical/open-xchange app suite backend
- version/open-xchange app suite backend/7.8.2