Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-5740 — Cross-site Scripting in Appsuite

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.9%

top 24.85%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Open-xchange Appsuite

Timeline

PublishedDec 15

Latest updateMay 14

Description

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions vi…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDopen-xchange/open-xchange_appsuite7.8.2

🔴Vulnerability Details

GHSA

GHSA-hrv2-h7rh-2wq4: An issue was discovered in Open-Xchange OX App Suite before 7↗2022-05-14

▶

CVEList

CVE-2016-5740: An issue was discovered in Open-Xchange OX App Suite before 7↗2016-12-15

▶

💥Exploits & PoCs

Exploit-DB

Open-Xchange App Suite 7.8.2 - Cross-Site Scripting↗2016-09-13

▶