CVE-2014-5236
Description
Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Absolute path traversal in Open-Xchange AppSuite documentconverter allows remote attackers to read arbitrary application files via crafted OLE Object or image in OpenDocument text file.
Vulnerability
The documentconverter component in Open-Xchange (OX) AppSuite versions before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 contains multiple absolute path traversal vulnerabilities [1]. By crafting an OpenDocument text file with a full pathname in an OLE Object or an image, a remote attacker can read arbitrary application files.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted OpenDocument text file to a target server running a vulnerable version of OX AppSuite. No authentication is required if the documentconverter is exposed to unauthenticated users. The attacker includes a full pathname (e.g., /etc/passwd) in the OLE Object or image element. When the documentconverter processes the file, it follows the absolute path and reads the specified file.
Impact
Successful exploitation allows an attacker to read arbitrary application files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or other confidential information. The impact is limited to file read; no code execution is reported.
Mitigation
The vulnerability is fixed in OX AppSuite versions 7.4.2-rev10 and 7.6.0-rev10. Users should upgrade to these versions or later. No workarounds are documented in the available references. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Open-Xchange (OX)/AppSuitedescription
<7.4.2-rev10 or <7.6.0-rev10+ 1 more
- (no CPE)range: <7.4.2-rev10 or <7.6.0-rev10
- (no CPE)range: <7.4.2-rev10 or <7.6.0-rev10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.htmlmitrex_refsource_MISC
- software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_2112_7.6.0_2014-08-25.pdfmitrex_refsource_MISC
- www.securityfocus.com/archive/1/archive/1/533443/100/0/threadedmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.