Medium severity6.1NVD Advisory· Published Dec 15, 2016· Updated May 6, 2026

CVE-2016-2840

Description

An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustworthy to malicious hosts.

Affected products

Open-Xchange/Appsuite
cpe:2.3:a:open-xchange:open-xchange_appsuite:*:rev25:*:*:*:*:*:*
Range: <=7.8.0
Open-Xchange/Ox Appsuitellm-fuzzy
Range: <7.8.0-rev26

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/136543/Open-Xchange-7.8.0-Cross-Site-Scripting.htmlnvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1035469nvdThird Party AdvisoryVDB Entry
www.securityfocus.com/archive/1/537959/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000