Информационная безопасность
[RU] switch to English


Уязвимости безопасности в Open-Xchange
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13737
Тип:удаленная
Уровень опасности:
5/10
Описание:При сбросе пароля пароль передается в URI, межсайтосвый скриптинг.
Затронутые продукты:OPENXCHANGE : Open-Xchange 7.4
CVE:CVE-2014-2393 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.)
 CVE-2014-2392 (The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.)
 CVE-2014-2391 (The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.)
Оригинальный текстdocumentOPENXCHANGE, Open-Xchange Security Advisory 2014-04-08 (05.05.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород