Computer Security
[EN] securityvulns.ru no-pyccku


Open-Xchange security vulnerabilities
Published:05.05.2014
Source:
SecurityVulns ID:13737
Type:remote
Threat Level:
5/10
Description:Password is passed via URI during password reset. Crossite scripting.
Affected:OPENXCHANGE : Open-Xchange 7.4
CVE:CVE-2014-2393 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.)
 CVE-2014-2392 (The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.)
 CVE-2014-2391 (The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.)
Original documentdocumentOPENXCHANGE, Open-Xchange Security Advisory 2014-04-08 (05.05.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod