Vulnerability Description
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Xchange | Open-Xchange Appsuite | <= 7.8.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-OThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/538481/100/0/threaded
- http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-OThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/archive/1/538481/100/0/threaded
FAQ
What is CVE-2016-3174?
CVE-2016-3174 is a vulnerability with a CVSS score of 7.4 (HIGH). An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be prov...
How severe is CVE-2016-3174?
CVE-2016-3174 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-3174?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite.