Product: Open-Xchange AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 31065
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.4.1 and 7.4.2
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.4.1-rev10, 7.4.2-rev8
Vendor notification: 2014-02-11
Solution date: 2014-02-28
Public disclosure: 2014-03-17
CVE reference: CVE-2014-2077
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Script code that gets entered to the subject field of a mail, either by direct typing or using reply/forward, gets executed. This is caused by "aria" tags for screenreaders at the top bar, which do not use sanitized versions of the content. Note that just reading such a mail will not trigger the malicious code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Solution:
Users should update to the latest patch releases. Users should avoid replying or forwarding mails from untrusted sources that contain suspicious subjects.


Internal reference: 31185 (Bug ID)
Vulnerability type: Information exposure (CWE-200)
Vulnerable version: 7.4.2
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.4.2-rev9
Vendor notification: 2014-02-18
Solution date: 2014-02-26
Public disclosure: 2014-03-17
CVE reference: CVE-2014-2078
CVSSv2: 3.9 (AV:N/AC:L/Au:M/C:P/I:N/A:N/E:F/RL:U/RC:C/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
Under some circumstances it may happen that E-Mail auto configuration for external accounts fails and returns an email address from a previously failing configuration attempt from any other user of the system.

Risk:
Users may gain unauthorised access to other users data e.g. mail addresses. Note that passwords are not affected by this.

Solution:
Users should update to the latest patch releases. As a temporary workaround, auto configuration for mail could be disabled at the backend:
$ /opt/open-xchange/sbin/stopbundle com.openexchange.mail.autoconfig.json