CVE-2013-6997

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (OX) AppSuite 7.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an HTML email with crafted CSS code containing wildcards or (2) office documents containing "crafted hyperlinks with script URL handlers."

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1766_7.4.0_Rev21_2013_12_13.pdf	Vendor Advisory
http://www.osvdb.org/101714
http://www.osvdb.org/101715
http://www.securityfocus.com/archive/1/530681/100/0/threaded
http://www.securityfocus.com/bid/64676
http://www.securitytracker.com/id/1029554
https://exchange.xforce.ibmcloud.com/vulnerabilities/90113
http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1766_7.4.0_Rev21_2013_12_13.pdf	Vendor Advisory
http://www.osvdb.org/101714
http://www.osvdb.org/101715
http://www.securityfocus.com/archive/1/530681/100/0/threaded
http://www.securityfocus.com/bid/64676
http://www.securitytracker.com/id/1029554
https://exchange.xforce.ibmcloud.com/vulnerabilities/90113

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:open-xchange:open-xchange_appsuite::::::::
	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:::::::*
	cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:::::::*

History

21 Nov 2024, 02:00

Type	Values Removed	Values Added
References	~~() http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1766_7.4.0_Rev21_2013_12_13.pdf - Vendor Advisory~~	() http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1766_7.4.0_Rev21_2013_12_13.pdf - Vendor Advisory
References	~~() http://www.osvdb.org/101714 -~~	() http://www.osvdb.org/101714 -
References	~~() http://www.osvdb.org/101715 -~~	() http://www.osvdb.org/101715 -
References	~~() http://www.securityfocus.com/archive/1/530681/100/0/threaded -~~	() http://www.securityfocus.com/archive/1/530681/100/0/threaded -
References	~~() http://www.securityfocus.com/bid/64676 -~~	() http://www.securityfocus.com/bid/64676 -
References	~~() http://www.securitytracker.com/id/1029554 -~~	() http://www.securitytracker.com/id/1029554 -
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/90113 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/90113 -

Information

Published : 2014-01-09 00:55

Updated : 2025-04-11 00:51

NVD link : CVE-2013-6997

Mitre link : CVE-2013-6997

CVE.ORG link : CVE-2013-6997

JSON object : View

Products Affected

open-xchange

open-xchange_appsuite

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2013-6997", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-01-09T00:55:03.097", "references": [{"url": "http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1766_7.4.0_Rev21_2013_12_13.pdf", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/101714", "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/101715", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/530681/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/64676", "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id/1029554", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90113", "source": "cve@mitre.org"}, {"url": "http://software.open-xchange.com/OX6/doc/Release_Notes_for_Public_Patch_Release_1766_7.4.0_Rev21_2013_12_13.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.osvdb.org/101714", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.osvdb.org/101715", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/530681/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/64676", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1029554", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90113", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (OX) AppSuite 7.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an HTML email with crafted CSS code containing wildcards or (2) office documents containing \"crafted hyperlinks with script URL handlers.\""}, {"lang": "es", "value": "Multiple cross-site scripting (XSS) en Open-Xchange (OX) AppSuite 7.4.0 y anteriores que permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) un correo electr\u00f3nico HTML con c\u00f3digo CSS manipulado que contiene caracteres comod\u00edn o (2) la oficina documentos que contienen \"hiperv\u00ednculos manipulados con manejadores de script de URL.\""}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2E10052-CF1B-4A96-87DD-8AEEBC96E4E6", "versionEndIncluding": "7.4.0"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.20.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "983E5F3A-E7AD-4CCA-80D4-9C012AFCCDD4"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F85EE0C-B7A0-455A-96F6-E4E6BA5D7216"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:6.22.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D9572CB-9A46-492E-BDCC-E01849EF0EC0"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "138461CD-9C27-40E5-B7A0-A37737B6E942"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "108BCEFD-3098-4919-9B0C-E80F6FA1C102"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDBB02DF-1022-4FE5-B5E1-198DC58F8C1B"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BF31219-8390-4676-A9C4-D625A016C71E"}, {"criteria": "cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75B04598-67CD-420B-92C9-9A7459295E11"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

4.3 /10