Skip to content

CVE-2014-2391

The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.

View on NVD

Severity

N/A

EPSS

Probability of exploitation (next 30 days): 0.0023 (0.2%)
Percentile: 45.7%
EPSS: 2026-05-06

Affects

open-xchange:open-xchange_appsuite

Technical description

The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.

Published: 4/24/2014, 5:06:05 AM
Last modified: 5/6/2026, 10:30:45 PM

References

HomeEventsBlogResourcesTeam