CVE-2018-5756
Description
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can delete arbitrary tasks in OX App Suite by sending a task ID to api/tasks without proper folder association checks.
Vulnerability
The backend component in Open-Xchange OX App Suite fails to properly verify the folder-to-object association when processing delete requests for tasks [1]. This missing check allows a remote authenticated user to supply an arbitrary task ID via a delete action to the api/tasks endpoint. The vulnerability affects OX App Suite versions before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22.
Exploitation
An attacker needs an authenticated session in OX App Suite. By sending a crafted HTTP POST request to api/tasks with a delete action and a task_id parameter referencing a task owned by another user, the server deletes the task without verifying that the requesting user has the appropriate folder-level permissions [1]. No additional user interaction is required beyond authentication.
Impact
A remote authenticated attacker can delete arbitrary tasks belonging to any user or folder in the same OX App Suite deployment. This results in unauthorized data loss of targeted task items, directly compromising the availability and integrity of user data within the application.
Mitigation
The vendor addressed this issue in software updates released on 2018-06-12 [1]. Fixed versions are: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, and 7.8.4-rev22. Administrators should upgrade to one of these versions or later. No workaround is documented in the available reference.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<7.6.3-rev36 || >=7.8.0,<7.8.2-rev39 || >=7.8.3,<7.8.3-rev44 || >=7.8.4,<7.8.4-rev22+ 1 more
- (no CPE)range: <7.6.3-rev36 || >=7.8.0,<7.8.2-rev39 || >=7.8.3,<7.8.3-rev44 || >=7.8.4,<7.8.4-rev22
- (no CPE)range: < 7.6.3-rev36 for 7.6.x series, < 7.8.2-rev39 for 7.8.x series, < 7.8.3-rev44 for 7.8.3 series, < 7.8.4-rev22 for 7.8.4 series
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incomplete permission checks for folder-to-object association allow a user to delete another user's tasks by supplying a mismatched task ID and folder ID."
Attack vector
An authenticated remote attacker (User B) can delete another user's task by sending a DELETE request to `/api/tasks?action=delete` with the victim's task ID but supplying a valid task folder ID that belongs to the attacker [ref_id=1]. The backend fails to verify that the task object actually belongs to the folder specified, allowing the attacker to bypass the folder-level permission check and delete arbitrary tasks [CWE-269] [ref_id=1]. The CVSS score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) confirms the attack requires network access, low complexity, and authentication but no user interaction [ref_id=1].
Affected code
The vulnerability resides in the backend component of OX App Suite, specifically in the `/api/tasks` endpoint's delete action. The advisory identifies that permission checks for tasks were incomplete with regard to folder-to-object association [ref_id=1].
What the fix does
The vendor enhanced permission checks for the task delete call to verify folder-to-object association [ref_id=1]. The fix ensures that when a delete request is processed, the backend confirms that the task ID actually belongs to the folder ID provided by the requester, preventing an attacker from using a folder they control to delete tasks in another user's folder. The fix was released in versions 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, and 7.8.4-rev22 [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user of the OX App Suite instance
- inputThe attacker must know or guess the target task's ID
- inputThe attacker must have a valid task folder ID of their own to supply in the request
Reproduction
1. As User A, create a task and note its ID (e.g., ID: 1). 2. As User B, send a DELETE request to `/api/tasks?action=delete` with the task ID of User A's task (ID: 1) but supply a valid task folder ID that belongs to User B. 3. User A's task is deleted despite User B having no permission on that task [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/44881/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Jun/23mitremailing-listx_refsource_FULLDISC
News mentions
0No linked articles in our index yet.