Main Vulnerability Database Vulnerabilities #VU13546

#VU13546 XXE attack in Open-Xchange App Suite - CVE-2018-9998

Published: July 3, 2018

Vulnerability identifier: #VU13546

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-9998

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Open-Xchange App Suite

Software vendor:
Open-Xchange Inc

Description

The disclosed vulnerability allows a remote authenticated attacker to perform XXE attack.

The vulnerability exists due to an error when requesting task folders. A remote attacker can send specially crafted XML external entity data and cause the target system to disclose the name of 'foreign' folders belonging to other users in the same context.

Remediation

Update to versions 7.6.3-rev37, 7.8.2-rev40, 7.8.3-rev48, 7.8.4-rev28.

External links

http://seclists.org/fulldisclosure/2018/Jul/12

#VU13546 XXE attack in Open-Xchange App Suite - CVE-2018-9998

Description

Remediation

External links

Please verify you're human