CVE-2018-5754
Description
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Open-Xchange OX App Suite office-web component allows attackers to inject arbitrary script via crafted presentation file when copying to clipboard.
Vulnerability
The vulnerability is a cross-site scripting (XSS) in the office-web component of Open-Xchange OX App Suite. It affects versions before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9. The issue occurs when a crafted presentation file is processed, specifically related to copying content to the clipboard. The component fails to properly sanitize user input, allowing injection of arbitrary web script or HTML. [1]
Exploitation
An attacker can exploit this by sending a specially crafted presentation file to a victim. The victim must open the file in the OX App Suite office-web component and perform a copy-to-clipboard action. No authentication is required for the attacker to deliver the file, but user interaction is needed. The attack can be performed remotely over the network. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive information, session hijacking, or defacement. The impact is limited to the user's browser session and the data accessible within the OX App Suite application. [1]
Mitigation
The vulnerability is fixed in OX App Suite versions 7.6.3-rev30, 7.8.2-rev30, 7.8.3-rev36, and 7.8.4-rev18, released on 2018-02-08. Users should upgrade to these or later versions. No workarounds are documented. The vendor has confirmed the fix. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.8.3-rev12, <7.8.4-rev9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Internet Explorer's lack of proper Content Security Policy (CSP) support allows script injection via the "Open in Browser" feature for presentation files."
Attack vector
A remote attacker crafts a presentation file containing malicious script code. When a victim opens this file using the "Open in Browser" feature in Internet Explorer, the script executes within the user's session context. Internet Explorer does not properly support modern Content Security Policies (CSP), which would otherwise act as a failsafe against such XSS attacks [ref_id=1].
Affected code
The vulnerability is in the office-web component of the Open-Xchange OX App Suite frontend. The "Open in Browser" feature is identified as the attack vector, and the fix removes this option for Internet Explorer-based browsers [ref_id=1].
What the fix does
The vendor removed the "Open in Browser" option from the user interface for Internet Explorer-based browsers. Users are now required to download attachments and open them from their local device, which eliminates the possibility of executing script code under the same domain. Microsoft Edge is not affected by this change [ref_id=1].
Preconditions
- configVictim must use Internet Explorer as their browser (Microsoft Edge is not affected)
- inputAttacker must deliver a crafted presentation file to the victim
- inputVictim must use the 'Open in Browser' feature to open the malicious file
Reproduction
The advisory states this is a "precautionary change" and does not provide specific reproduction steps. The vendor notes: "This is a precautionary change" [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/44881/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jun/23mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.