2016-12-15 06:31:00
mitre
PUBLISHED
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the users name to JS code makes that code execute when selecting that users "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).