CVE-2016-3174

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks.

Published: Dec 15, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-3174
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
open-xchange / open-xchange_appsuite	-	7.8.0.x

http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html
http://www.securityfocus.com/archive/1/538481/100/0/threaded

Vulnerability Database

CVE-2016-3174