VIR Vulnerability Intelligence Relay

CVE-2013-1648

low
Published 2013-09-05 · Modified 2026-04-29
CVSS v3
CVSS v2
3.5
VIR risk
3.5

Description

The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not properly validate the publication-source URL, which allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field, as demonstrated by (1) an ftp: URL, (2) a gopher: URL, or (3) an http://127.0.0.1/ URL, related to a "Server-side request forging (SSRF)" issue.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Application impact
VendorProductVersionsFixed
open-xchangeopen-xchange_server6.20.7
open-xchangeopen-xchange_server6.22.0
open-xchangeopen-xchange_server6.22.1

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.