CVE-2016-5740
Description
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in OX App Suite before 7.8.2-rev5 allows attackers to execute arbitrary JavaScript via malicious ical attachments in scheduling emails.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Open-Xchange OX App Suite versions before 7.8.2-rev5. The bug resides in the handling of iCal attachments within scheduling emails and in resource descriptions. Malicious JavaScript code can be embedded in appointment fields (e.g., location) or resource descriptions. When a user views the appointment details, the script executes in the context of the user's current session. Affected versions include all releases prior to the fixed versions: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, and 7.8.2-rev5 for the frontend component, and similar versions for the backend.
Exploitation
An attacker can exploit this vulnerability by sending a scheduling email containing a crafted iCal attachment with embedded JavaScript, or by creating or modifying a resource with a malicious description. The attacker does not need authentication but requires the ability to send emails to the target or to have permissions to create/modify resources (though explicit permissions are needed for resource modification). The attack requires user interaction: the victim must open the email and view the appointment details. The script executes within the victim's session, allowing the attacker to perform actions on behalf of the user [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, unauthorized actions such as sending emails, deleting data, or other operations accessible via the web interface. The impact is limited to the privileges of the victim user; no privilege escalation occurs.
Mitigation
The vendor has released fixed versions: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, and 7.8.2-rev5 for the frontend, and corresponding updates for the backend. Operators should update to the latest patch release. As a workaround, permission settings can be tightened to reject resource modifications by users. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.8.2-rev5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.htmlnvdMitigationThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/92922nvdThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/40378/nvdMitigationThird Party AdvisoryVDB Entry
- www.securityfocus.com/archive/1/539394/100/0/threadednvd
News mentions
0No linked articles in our index yet.