Vulnerabilities > CVE-2013-7140 - Information Disclosure vulnerability in Open-Xchange AppSuite XML External Entities

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

open-xchange

NVD

Published: 2014-01-26

Updated: 2017-08-29

Summary

XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE can be exploited to conduct absolute path traversal and other attacks. CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Vulnerable Configurations

Part	Description	Count
Application	Open-Xchange Open Xchange Open Xchange Appsuite 6.20.7 Open Xchange Open Xchange Appsuite 6.22.0 Open Xchange Open Xchange Appsuite 6.22.1 Open Xchange Open Xchange Appsuite 7.0.1 Open Xchange Open Xchange Appsuite 7.0.2 Open Xchange Open Xchange Appsuite 7.2.0 Open Xchange Open Xchange Appsuite 7.2.1 Open Xchange Open Xchange Appsuite 7.2.2 Open Xchange Open Xchange Appsuite 7.4.0 Open Xchange Open Xchange Appsuite 6.22.3 Open Xchange Open Xchange Appsuite 6.22.4 Open Xchange Open Xchange Appsuite 7.4.1	12

Summary

Vulnerable Configurations

References