Vulnerability CVE-2016-4027


Published: 2016-12-15

Description:
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Open-Xchange App Suite 7.8.1 Information Disclosure
Martin Heiland
23.06.2016

Type:

CWE-200

(Information Exposure)

Vendor: Open-xchange
Product: Open-xchange appsuite 
Version: 7.8.1;

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://packetstormsecurity.com/files/137599/Open-Xchange-App-Suite-7.8.1-Information-Disclosure.html
http://www.securityfocus.com/archive/1/538732/100/0/threaded
http://www.securitytracker.com/id/1036157

Related CVE
CVE-2019-11806
OX App Suite 7.10.1 and earlier has Insecure Permissions.
CVE-2019-11522
OX App Suite 7.10.0 to 7.10.2 allows XSS.
CVE-2019-11521
OX App Suite 7.10.1 allows Content Spoofing.
CVE-2018-10986
OX Guard 2.8.0 has CSRF.
CVE-2019-7159
OX App Suite 7.10.1 and earlier allows Information Exposure.
CVE-2019-7158
OX App Suite 7.10.0 and earlier has Incorrect Access Control.
CVE-2017-13667
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
CVE-2017-13668
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

Copyright 2019, cxsecurity.com

 

Back to Top