Product: Open-Xchange Server 6 / OX AppSuite Vendor: Open-Xchange GmbH Internal reference: 35512 (Bug ID) Vulnerability type: Cross Site Scripting (CWE-80) Vulnerable version: 7.6.1 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.4.2-rev40, 7.6.0-rev32, 7.6.1-rev11 Researcher credits: John de Kroon of Voiceworks B.V. Vendor notification: 2014-11-18 Solution date: 2014-12-03 CVE reference: CVE-2014-8993 CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)
Vulnerability Details: When embedding script code within a file that gets identified by the "application/xhtml+xml" mime-type and provides a valid XHTML doctype, the existing sanitizer does not get triggered and therefor does not remove potentially harmful script code. Since browsers detect the doctype information, the script code gets executed. The issue may be used to execute a stored cross-site scripting attack. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Potential attack vectors are E-Mail (via attachments) or Drive. Solution: Users should update to the latest patch releases 7.4.2-rev40, 7.6.0-rev32 and 7.6.1-rev11 (or later).
