CVE-2018-5753
Description
The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unicode characters in sender name field allow spoofing email origin in OX App Suite versions before several patches.
Vulnerability
The frontend component of Open-Xchange OX App Suite contains an input validation flaw that allows an attacker to spoof the origin of e-mails by inserting specially crafted Unicode characters into the 'personal part' of a From or Sender address [1]. This affects versions before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 [1].
Exploitation
An attacker can send an e-mail with a manipulated sender name containing Unicode characters that cause the displayed origin to differ from the actual mail origin [1]. No special network position is required; the attacker only needs the ability to send e-mails to a target user. The target user must view the e-mail in the OX App Suite frontend for the spoofed origin to be perceived.
Impact
Successful exploitation allows a remote attacker to deceive the recipient about the origin of the e-mail, potentially enabling phishing or other social engineering attacks [1]. The attacker does not gain code execution or elevated access; the impact is limited to information integrity and trust manipulation.
Mitigation
The vulnerability is fixed in OX App Suite versions 7.6.3-rev31, 7.8.2-rev31, 7.8.3-rev41, and 7.8.4-rev20 [1]. Users should upgrade to these or later versions. No workaround is provided in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.6.3-rev31, <7.8.2-rev31, <7.8.3-rev41, <7.8.4-rev20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of unicode characters in the "personal part" of From/Sender email headers allows spoofing the displayed email origin."
Attack vector
An attacker crafts an email with specially chosen unicode characters in the "personal part" of the From or Sender header. Because the frontend does not properly sanitize these characters, the displayed origin of the email can be spoofed [ref_id=1]. The attack requires no authentication (CVSS:3.0/AV:N/AC:L/PR:N) and only requires the victim to view the crafted email (UI:R). This supports social-engineering attacks by making a malicious email appear to come from a trusted source [CWE-451].
Affected code
The frontend component that renders email headers is at fault. The advisory identifies the vulnerable component as "frontend" and states that the "From" or "Sender" address fields are parsed without sanitizing unicode characters in the "personal part" [ref_id=1]. No specific function or file names are provided in the bundle.
What the fix does
The vendor fixed the issue by displaying the actual sender address next to the "personal" part of the sender, ensuring that this information cannot be influenced by externally provided content [ref_id=1]. The fix was released in versions 7.6.3-rev31, 7.8.2-rev31, 7.8.3-rev41, and 7.8.4-rev20 [ref_id=1]. No patch diff is available in the bundle.
Preconditions
- configThe victim must use a vulnerable version of OX App Suite (frontend component)
- inputThe victim must view an email crafted by the attacker
- authNo authentication required for the attacker to send the malicious email
Reproduction
1. Create an email containing very long "personal" parts or mail addresses as personal parts in the From or Sender header [ref_id=1]. 2. Send the email to a victim using a vulnerable OX App Suite instance. 3. The victim views the email and sees a spoofed origin due to unicode characters in the personal part disguising the actual sender address [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/44881/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jun/23mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.