CVE-2017-17062
Description
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can save arbitrary user attributes in OX App Suite due to improper privilege management in the backend.
Vulnerability
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 contains improper privilege management that allows remote authenticated users to save arbitrary user attributes [1].
Exploitation
An attacker needs valid user credentials for the OX App Suite. The improper privilege management in the backend component enables the attacker to save attributes that should be restricted. The exploit requires network access to the application and does not require additional privileges beyond authentication [1].
Impact
Successful exploitation leads to unauthorized modification of user attributes, potentially enabling privilege escalation or other malicious actions depending on the attributes that can be set. The impact includes compromised integrity of user profile data [1].
Mitigation
The vulnerability is fixed in OX App Suite versions 7.6.3-rev35, 7.8.2-rev38, 7.8.3-rev41, and 7.8.4-rev19, released after the vendor notification on 2017-10-18 and solution date 2018-02-08 [1]. Users should upgrade to the latest patched version. No workarounds are mentioned in the reference.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.6.3-rev35, >=7.8.0 <7.8.2-rev38, >=7.8.3 <7.8.3-rev41, >=7.8.4 <7.8.4-rev19
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper privilege management — the backend does not verify that the requesting user has permission to set or read user attributes for arbitrary user identifiers."
Attack vector
An authenticated attacker forges an API request to store or read custom user attributes for a different user by supplying that user's identifier. The proof of concept shows a PUT request to `/ajax/user?session=xxx&name=tree&id=3&action=setAttribute` with a JSON body `{"name":"foo", "value": "bar"}` [ref_id=1]. The backend does not verify that the requesting user has permission to set attributes for the target user ID, allowing any authenticated user to manipulate attributes of other users within the same context [ref_id=1].
Affected code
The vulnerability resides in the backend component of Open-Xchange OX App Suite [ref_id=1]. The advisory identifies the vulnerable component as "backend" and states that "certain 'user attributes' (UA identifier, login timestamps...) can be saved by using arbitrary users identifiers within the same context" [ref_id=1]. The vulnerable versions are 7.6.3 before rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 [ref_id=1].
What the fix does
The fix adds permission checks at both the user and context level before allowing attribute read or write operations [ref_id=1]. The advisory states: "We check permissions on a user- and context-level to make sure just privileged users can set and read user attributes" [ref_id=1]. This ensures that only users with elevated permissions can save or request user attributes for arbitrary user identifiers, closing the privilege escalation path.
Preconditions
- authAttacker must be an authenticated user of the OX App Suite
- inputAttacker must know or guess the target user's numeric ID within the same context
- configThe target user must be in the same context (tenant) as the attacker
Reproduction
1. Authenticate to the OX App Suite instance and obtain a valid session token. 2. Send a PUT request to the endpoint `/ajax/user?session=
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/44881/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jun/23mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.