CVE-2013-6241

Published: Dec 27, 2014Modified: May 6, 2026

4.0

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability: 8.0 / Impact: 2.9

Source: NVD

Description

The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote authenticated users to obtain sensitive birthday, displayname, firstname, and surname information via a birthdays action to api/contacts, aka bug 29315.

Affected (4)

Products: Open Xchange: Open Xchange Appsuite

Open Xchange

1 product

Open Xchange Appsuite

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Open Xchange Open Xchange Appsuite	Version 7.2.0
Open Xchange Open Xchange Appsuite	Version 7.2.1
Open Xchange Open Xchange Appsuite	Version 7.2.2
Open Xchange Open Xchange Appsuite	Version 7.4.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

http://archives.neohapsis.com/archives/bugtraq/2013-11/0025.html

Source: cve@mitre.org

https://forum.open-xchange.com/showthread.php?8059-Open-Xchange-releases-Security-Patch-2013-10-21-for-v7-2-2-and-v7-4-0

Source: cve@mitre.org

http://archives.neohapsis.com/archives/bugtraq/2013-11/0025.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://forum.open-xchange.com/showthread.php?8059-Open-Xchange-releases-Security-Patch-2013-10-21-for-v7-2-2-and-v7-4-0

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.