CVE-2013-1648 Information

Description

The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14 6.22.0 before rev13 and 6.22.1 before rev14 does not properly validate the publication-source URL which allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field as demonstrated by (1) an ftp: URL (2) a gopher: URL or (3) an http://127.0.0.1/ URL related to a \Server-side request forging (SSRF)\ issue.

Reference

http://archives.neohapsis.com/archives/bugtraq/2013-03/0075.html