CVE-2013-6241

The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote authenticated users to obtain sensitive birthday, displayname, firstname, and surname information via a birthdays action to api/contacts, aka bug 29315.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.1:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.2.2:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite:7.4.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-12-27 18:59

Updated : 2023-12-10 11:31


NVD link : CVE-2013-6241

Mitre link : CVE-2013-6241

CVE.ORG link : CVE-2013-6241


JSON object : View

Products Affected

open-xchange

  • open-xchange_appsuite
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor