CVE-2018-5751
Description
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OX App Suite backend allows authenticated users to enumerate external guest users via the groups and users APIs, leaking personal information.
Vulnerability
The backend component in Open-Xchange OX App Suite versions before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 contains an information disclosure vulnerability. Remote authenticated users can exploit the groups and users APIs to obtain sensitive information about external guest users. This issue affects the backend component handling these API endpoints.
Exploitation
An attacker needs valid credentials for an OX App Suite user account. With authenticated access, the attacker can craft requests to the groups and users APIs to enumerate external guest users and retrieve their personal information. The attack does not require any special privileges beyond standard user access.
Impact
Successful exploitation allows an attacker to gain sensitive information about external guest users, such as names, email addresses, or other personal data exposed through the API. This information disclosure can lead to privacy breaches and potential further attacks on the guest users. The compromised data is limited to the information accessible via these APIs.
Mitigation
The vulnerability has been fixed by the vendor in the following versions: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, and 7.8.4-rev22 [1]. Users are advised to upgrade their OX App Suite installation to the patched versions. If immediate upgrade is not possible, restricting access to the affected API endpoints for authenticated users may serve as a temporary workaround.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.6.3-rev36, <7.8.2-rev39, <7.8.3-rev44, <7.8.4-rev22
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The "groups" and "users" APIs expose guest user data (primarily email addresses) to all users within the same context, even though those users are not entitled to access it."
Attack vector
An authenticated attacker first shares content with an external user via the "invite by mail" option, which creates a temporary guest account [ref_id=1]. The attacker then queries the "groups" and "users" APIs as another user within the same context, which returns sensitive information about the external guest user — primarily their email address — even though the attacker is not entitled to access that data [ref_id=1]. No special network position is required beyond normal authenticated access to the OX App Suite instance.
Affected code
The vulnerability resides in the backend component of OX App Suite, specifically in the "groups" and "users" APIs [ref_id=1]. These APIs expose information about user accounts, including data about external guest users who were invited to share content [ref_id=1].
What the fix does
The advisory states the solution is to "restrict access to guest user data and reduce the amount of data provided for groups" [ref_id=1]. No patch diff is included in the bundle, but the fix was applied in versions 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, and 7.8.4-rev22 [ref_id=1]. The remediation closes the information exposure by ensuring that guest user data is only visible to users who are legitimately entitled to access it, rather than being available to all users within the same context.
Preconditions
- authAttacker must be an authenticated user of the OX App Suite instance
- configA guest user must have been invited via the 'invite by mail' share feature
- configAttacker must be in the same context as the guest user
Reproduction
1. As an authenticated user, share content with an external user by using the "invite by mail" option [ref_id=1]. 2. As another authenticated user within the same context, query the "groups" and "users" APIs to retrieve the external guest user's email address and other sensitive information [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/44881/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jun/23mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.