CVE-2018-5752
Description
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OX App Suite backend via non-decimal and IPv6 address representations allows SSRF, enabling internal resource scanning.
Vulnerability
The backend component of Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows server-side request forgery (SSRF). The vulnerability is triggered by using non-decimal representations of IP addresses (e.g., octal, hexadecimal) and special IPv6-related addresses when making backend HTTP requests [1]. The affected code runs server-side and does not require any special user privileges beyond normal application access.
Exploitation
An attacker can send crafted requests to the OX App Suite backend that include non-standard IP address formats. The backend will interpret these representations and make HTTP requests to unintended internal or external resources. No authentication is required beyond a valid session, and the attacker does not need to be on the internal network [1]. The attack is performed remotely without user interaction.
Impact
Successful exploitation allows an attacker to perform server-side request forgery (SSRF). This can lead to information disclosure by reading internal network services, scanning internal hosts, or potentially exploiting other internal systems. The attacker operates with the privileges of the vulnerable backend service, which may have access to sensitive internal resources [1].
Mitigation
Fix versions are available: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, and 7.8.4-rev22 [1]. Users should upgrade to these or later versions. There are no known workarounds; upgrading is the only effective mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.6.3-rev36, <7.8.2-rev39, <7.8.3-rev44, <7.8.4-rev22
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The backend component does not validate or restrict non-decimal representations of IP addresses and special IPv6-related addresses when following HTTP redirects during external mail account auto-configuration, allowing SSRF."
Attack vector
An attacker with a valid user account sets up a malicious HTTP service that responds with an HTTP 301 redirect pointing to a local or internal IP address (using non-decimal or special IPv6 address formats). The attacker then attempts to add an external mail account whose domain resolves to the attacker's malicious service. When the OX App Suite backend follows the redirect during auto-configuration lookup, it makes requests to internal network endpoints. By observing error codes and response times of the /api/autoconfig?action=get request, the attacker can probe internal network configuration, open ports, and services [ref_id=1].
Affected code
The vulnerability resides in the backend component of OX App Suite, specifically in the auto-configuration logic that looks up external mail account configuration via XML files hosted at mail providers' hosts [ref_id=1]. The advisory does not specify exact file paths or function names.
What the fix does
The vendor fixed the vulnerability by denying access to network-internal endpoints when following HTTP redirects during the auto-configuration process [ref_id=1]. The advisory states: "We now deny access to network internal endpoints when following HTTP redirects" [ref_id=1]. No patch diff is provided in the bundle, but the fix was released in versions 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, and 7.8.4-rev22 [ref_id=1].
Preconditions
- authAttacker must have a valid user account on the OX App Suite instance
- inputAttacker must control an HTTP service that can issue redirects to internal IP addresses
- configThe OX App Suite backend must be configured to allow external mail account auto-configuration
Reproduction
1. Provide a malicious HTTP service that redirects any incoming request to a local IP/Port combination using HTTP 301. 2. Attempt to add an external mail account that uses the same domain as the malicious HTTP service. 3. Check error codes and response times of the /api/autoconfig?action=get request [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/44881/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jun/23mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.