CVE-2016-6847: XSS
First published: Thu Dec 15 2016(Updated: )
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Open-Xchange App Suite Backend | <=7.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-6847?
CVE-2016-6847 has been classified as a high severity vulnerability due to its potential to execute malicious script code in a user's context.
How do I fix CVE-2016-6847?
To fix CVE-2016-6847, upgrade to Open-Xchange App Suite version 7.8.2-rev8 or later.
Who is affected by CVE-2016-6847?
CVE-2016-6847 affects users of Open-Xchange App Suite versions up to and including 7.8.2-rev4.
What type of files can trigger CVE-2016-6847?
SVG files used as MP3 album covers can trigger CVE-2016-6847 if their XML structure contains script code.
What can happen if CVE-2016-6847 is exploited?
Exploitation of CVE-2016-6847 can allow attackers to execute arbitrary script code in the context of a user's session.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/open-xchange
- canonical/open-xchange app suite backend
- version/open-xchange app suite backend/7.8.2