The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x prior to 7.2.2-rev25 and 7.4.x prior to 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote authenticated users to obtain sensitive birthday, displayname, firstname, and surname information via a birthdays action to api/contacts, aka bug 29315.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
open-xchange open-xchange appsuite 7.2.0 |
||
open-xchange open-xchange appsuite 7.2.1 |
||
open-xchange open-xchange appsuite 7.2.2 |
||
open-xchange open-xchange appsuite 7.4.0 |