This host is running Open-Xchange Server and is prone to multiple vulnerabilities.

Successful exploitation will allow attacker to execute arbitrary HTML or web script in a user's browser session in context of an affected site, compromise the application and access or modify data in the database. Impact Level: Application

Update to versions 6.20.7-rev14, 6.22.0-rev13, or 6.22.1-rev14, For updates refer to http://www.open-xchange.com/home.html

- Input passed via arbitrary GET parameters to /servlet/TestServlet is not properly sanitized before being returned to the user. - Input related to the 'Source' field when creating subscriptions is not properly sanitized before being used. This can be exploited to perform arbitrary HTTP GET requests to remote and local servers. - The OXUpdater component does not properly validate the SSL certificate of an update server. This can be exploited to spoof update packages via a MitM (Man-in-the-Middle) attack. - The application creates the /opt/open-exchange/etc directory with insecure world-readable permissions. This can be exploited to disclose certain sensitive information. - Input passed via the 'location' GET parameter to /ajax/redirect is not properly sanitized before being used to construct HTTP response headers. - Certain input related to RSS feed contents is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code.

Open-Xchange Server versions prior to 6.20.7-rev14, 6.22.0-rev13 and 6.22.1-rev14.

• http://osvdb.org/91240
• http://packetstormsecurity.com/files/120785
• http://seclists.org/bugtraq/2013/Mar/74
• http://secunia.com/advisories/52603
• http://www.exploit-db.com/exploits/24791

---

Updated on 2015-03-25