2018-06-16 03:29:06 2018-08-03 20:19:21

The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE_INSTANCE

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE
Open-xchange Open-xchange appsuite 7.6.3 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev14 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev15 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev16 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev17 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev18 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev20 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev22 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev23 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev24 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev25 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev26 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev28 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev29 (not an official CPE) Open-xchange Open-xchange appsuite 7.6.3 Rev30 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.0 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.2 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev10 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev11 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev12 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev13 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev14 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev15 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev16 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev17 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev18 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev19 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev20 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev21 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev22 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev23 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev24 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev25 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev26 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev27 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev28 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev29 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev30 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev31 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev32 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev33 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev34 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev35 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev36 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev38 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev39 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev40 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev5 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev6 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev8 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.3 Rev9 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev10 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev11 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev13 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev14 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev15 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev16 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev17 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev18 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev19 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev3 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev4 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev5 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev6 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev7 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev8 (not an official CPE) Open-xchange Open-xchange appsuite 7.8.4 Rev9 (not an official CPE)

Improper Input Validation (ID 20)

Related CAPEC 58 Buffer Overflow via Environment Variables (CAPEC-ID 10) Server Side Include (SSI) Injection (CAPEC-ID 101) Cross Zone Scripting (CAPEC-ID 104) Cross Site Scripting through Log Files (CAPEC-ID 106) Command Line Execution through SQL Injection (CAPEC-ID 108) Object Relational Mapping Injection (CAPEC-ID 109) SQL Injection through SOAP Parameter Tampering (CAPEC-ID 110) Subverting Environment Variable Values (CAPEC-ID 13) Format String Injection (CAPEC-ID 135) LDAP Injection (CAPEC-ID 136) Relative Path Traversal (CAPEC-ID 139) Client-side Injection-induced Buffer Overflow (CAPEC-ID 14) Variable Manipulation (CAPEC-ID 171) Embedding Scripts in Non-Script Elements (CAPEC-ID 18) Flash Injection (CAPEC-ID 182) Cross-Site Scripting Using Alternate Syntax (CAPEC-ID 199) Exploiting Trust in Client (aka Make the Client Invisible) (CAPEC-ID 22) XML Nested Payloads (CAPEC-ID 230) XML Oversized Payloads (CAPEC-ID 231) Filter Failure through Buffer Overflow (CAPEC-ID 24) Cross-Site Scripting via Encoded URI Schemes (CAPEC-ID 244) XML Injection (CAPEC-ID 250) Environment Variable Manipulation (CAPEC-ID 264) Global variable manipulation (CAPEC-ID 265) Leverage Alternate Encoding (CAPEC-ID 267) Fuzzing (CAPEC-ID 28) Using Leading 'Ghost' Character Sequences to Bypass Input Filters (CAPEC-ID 3) Accessing/Intercepting/Modifying HTTP Cookies (CAPEC-ID 31) Embedding Scripts in HTTP Query Strings (CAPEC-ID 32) MIME Conversion (CAPEC-ID 42) Exploiting Multiple Input Interpretation Layers (CAPEC-ID 43) Buffer Overflow via Symbolic Links (CAPEC-ID 45) Overflow Variables and Tags (CAPEC-ID 46) Buffer Overflow via Parameter Expansion (CAPEC-ID 47) Signature Spoof (CAPEC-ID 473) XML Client-Side Attack (CAPEC-ID 484) Embedding NULL Bytes (CAPEC-ID 52) Postfix, Null Terminate, and Backslash (CAPEC-ID 53) Simple Script Injection (CAPEC-ID 63) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) SQL Injection (CAPEC-ID 66) String Format Overflow in syslog() (CAPEC-ID 67) Blind SQL Injection (CAPEC-ID 7) Using Unicode Encoding to Bypass Validation Logic (CAPEC-ID 71) URL Encoding (CAPEC-ID 72) User-Controlled Filename (CAPEC-ID 73) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79) Buffer Overflow in an API Call (CAPEC-ID 8) Using UTF-8 Encoding to Bypass Validation Logic (CAPEC-ID 80) Web Logs Tampering (CAPEC-ID 81) XPath Injection (CAPEC-ID 83) AJAX Fingerprinting (CAPEC-ID 85) Embedding Script (XSS) in HTTP Headers (CAPEC-ID 86) OS Command Injection (CAPEC-ID 88) Buffer Overflow in Local Command-Line Utilities (CAPEC-ID 9) XSS in IMG Tags (CAPEC-ID 91) XML Parser Attack (CAPEC-ID 99)