Lucene search

CVE-2018-9997

🗓️ 05 Jul 2018 20:00:29Reported by mitreType

cve🔗 web.nvd.nist.gov👁 52 Views🌐 WEB

CVE-2018-9997 Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets

Reporter	Title	Published	Views	Family All 7
NVD	CVE-2018-9997	5 Jul 201820:29	–	nvd
Prion	Cross site scripting	5 Jul 201820:29	–	prion
Cvelist	CVE-2018-9997	5 Jul 201820:00	–	cvelist
OpenVAS	Open-Xchange (OX) App Suite Multiple Vulnerabilities (Jul 2018)	3 Jul 201800:00	–	openvas
0day.today	OX App Suite 7.8.4 XSS / XML Injection / Information Disclosure Vulnerabilities	3 Jul 201800:00	–	zdt
Packet Storm	OX App Suite 7.8.4 XSS / XML Injection / Information Disclosure	2 Jul 201800:00	–	packetstorm
Packet Storm	Open-Xchange OX Guard Cross Site Scripting / Signature Validation	16 Aug 201900:00	–	packetstorm

Nvd

Node

open-xchange open-xchange_appsuiteRange≤7.6.3

open-xchange open-xchange_appsuiteMatch7.6.3rev14

open-xchange open-xchange_appsuiteMatch7.6.3rev15

open-xchange open-xchange_appsuiteMatch7.6.3rev16

open-xchange open-xchange_appsuiteMatch7.6.3rev17

open-xchange open-xchange_appsuiteMatch7.6.3rev18

open-xchange open-xchange_appsuiteMatch7.6.3rev20

open-xchange open-xchange_appsuiteMatch7.6.3rev22

open-xchange open-xchange_appsuiteMatch7.6.3rev23

open-xchange open-xchange_appsuiteMatch7.6.3rev24

open-xchange open-xchange_appsuiteMatch7.6.3rev25

open-xchange open-xchange_appsuiteMatch7.6.3rev26

open-xchange open-xchange_appsuiteMatch7.6.3rev28

open-xchange open-xchange_appsuiteMatch7.6.3rev29

open-xchange open-xchange_appsuiteMatch7.6.3rev30

open-xchange open-xchange_appsuiteMatch7.8.0

open-xchange open-xchange_appsuiteMatch7.8.2

open-xchange open-xchange_appsuiteMatch7.8.3

open-xchange open-xchange_appsuiteMatch7.8.3rev10

open-xchange open-xchange_appsuiteMatch7.8.3rev11

open-xchange open-xchange_appsuiteMatch7.8.3rev12

open-xchange open-xchange_appsuiteMatch7.8.3rev13

open-xchange open-xchange_appsuiteMatch7.8.3rev14

open-xchange open-xchange_appsuiteMatch7.8.3rev15

open-xchange open-xchange_appsuiteMatch7.8.3rev16

open-xchange open-xchange_appsuiteMatch7.8.3rev17

open-xchange open-xchange_appsuiteMatch7.8.3rev18

open-xchange open-xchange_appsuiteMatch7.8.3rev19

open-xchange open-xchange_appsuiteMatch7.8.3rev20

open-xchange open-xchange_appsuiteMatch7.8.3rev21

open-xchange open-xchange_appsuiteMatch7.8.3rev22

open-xchange open-xchange_appsuiteMatch7.8.3rev23

open-xchange open-xchange_appsuiteMatch7.8.3rev24

open-xchange open-xchange_appsuiteMatch7.8.3rev25

open-xchange open-xchange_appsuiteMatch7.8.3rev26

open-xchange open-xchange_appsuiteMatch7.8.3rev27

open-xchange open-xchange_appsuiteMatch7.8.3rev28

open-xchange open-xchange_appsuiteMatch7.8.3rev29

open-xchange open-xchange_appsuiteMatch7.8.3rev30

open-xchange open-xchange_appsuiteMatch7.8.3rev31

open-xchange open-xchange_appsuiteMatch7.8.3rev32

open-xchange open-xchange_appsuiteMatch7.8.3rev33

open-xchange open-xchange_appsuiteMatch7.8.3rev34

open-xchange open-xchange_appsuiteMatch7.8.3rev35

open-xchange open-xchange_appsuiteMatch7.8.3rev36

open-xchange open-xchange_appsuiteMatch7.8.3rev38

open-xchange open-xchange_appsuiteMatch7.8.3rev39

open-xchange open-xchange_appsuiteMatch7.8.3rev40

open-xchange open-xchange_appsuiteMatch7.8.3rev5

open-xchange open-xchange_appsuiteMatch7.8.3rev6

open-xchange open-xchange_appsuiteMatch7.8.3rev8

open-xchange open-xchange_appsuiteMatch7.8.3rev9

open-xchange open-xchange_appsuiteMatch7.8.4

open-xchange open-xchange_appsuiteMatch7.8.4rev10

open-xchange open-xchange_appsuiteMatch7.8.4rev11

open-xchange open-xchange_appsuiteMatch7.8.4rev13

open-xchange open-xchange_appsuiteMatch7.8.4rev14

open-xchange open-xchange_appsuiteMatch7.8.4rev15

open-xchange open-xchange_appsuiteMatch7.8.4rev16

open-xchange open-xchange_appsuiteMatch7.8.4rev17

open-xchange open-xchange_appsuiteMatch7.8.4rev18

open-xchange open-xchange_appsuiteMatch7.8.4rev19

open-xchange open-xchange_appsuiteMatch7.8.4rev20

open-xchange open-xchange_appsuiteMatch7.8.4rev21

open-xchange open-xchange_appsuiteMatch7.8.4rev22

open-xchange open-xchange_appsuiteMatch7.8.4rev23

open-xchange open-xchange_appsuiteMatch7.8.4rev24

open-xchange open-xchange_appsuiteMatch7.8.4rev25

open-xchange open-xchange_appsuiteMatch7.8.4rev26

open-xchange open-xchange_appsuiteMatch7.8.4rev27

open-xchange open-xchange_appsuiteMatch7.8.4rev3

open-xchange open-xchange_appsuiteMatch7.8.4rev4

open-xchange open-xchange_appsuiteMatch7.8.4rev5

open-xchange open-xchange_appsuiteMatch7.8.4rev6

open-xchange open-xchange_appsuiteMatch7.8.4rev7

open-xchange open-xchange_appsuiteMatch7.8.4rev8

open-xchange open-xchange_appsuiteMatch7.8.4rev9

Source	Link
packetstormsecurity	www.packetstormsecurity.com/files/154127/Open-Xchange-OX-Guard-Cross-Site-Scripting-Signature-Validation.html
seclists	www.seclists.org/fulldisclosure/2018/Jul/12
securitytracker	www.securitytracker.com/id/1041213

Parameter	Position	Path	Description	CWE
action	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
timezone	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
folder	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
columns	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
sort	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
order	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
cache	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
session	query param	/appsuite/api/tasks	Information exposure through error messages that disclose folder names to unauthorized users.	CWE-200
data-target	request body	/mail/compose	XSS vulnerability allowing execution of scripts in user's context via malicious data-target attributes.	CWE-80

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

05 Jul 2018 20:29Current

6Medium risk

Vulners AI Score6

CVSS24.3

CVSS36.1

EPSS0.00338

CWE-79