CVE-2014-5235 : Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x befo

Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds.

Published 2014-09-17 14:55:03

Updated 2018-10-09 19:50:03

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2014-5235

Probability of exploitation activity in the next 30 days: 0.25%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 62 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-5235

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-5235

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-5235

http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html

Open-Xchange 7.6.0 XSS / SSRF / Traversal ≈ Packet Storm

CVEs referencing this url
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_2112_7.6.0_2014-08-25.pdf

Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/69792

Open-Xchange AppSuite CVE-2014-5235 Multiple Cross Site Scripting Vulnerability
http://www.securityfocus.com/archive/1/533443/100/0/threaded

SecurityFocus

CVEs referencing this url

Products affected by CVE-2014-5235

Open-xchange » Open-xchange Appsuite
Versions up to, including, (<=) 7.4.1
cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 6.22.0
cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 6.22.1
cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.0.1
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.0.2
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.2.0
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 6.20.7
cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.2.2
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.2.1
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.4.0
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*
Matching versions
Open-xchange » Open-xchange Appsuite » Version: 7.6.0
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-5235

Exploit prediction scoring system (EPSS) score for CVE-2014-5235

CVSS scores for CVE-2014-5235

CWE ids for CVE-2014-5235

References for CVE-2014-5235

Products affected by CVE-2014-5235