Total
48 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-29049 | 1 Open-xchange | 1 Ox App Suite | 2024-01-12 | N/A | 6.1 MEDIUM |
| The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known. | |||||
| CVE-2023-29048 | 1 Open-xchange | 1 Ox App Suite | 2024-01-12 | N/A | 8.8 HIGH |
| A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. | |||||
| CVE-2022-24406 | 1 Open-xchange | 1 Ox App Suite | 2023-08-08 | N/A | 6.5 MEDIUM |
| OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls. | |||||
| CVE-2023-24597 | 1 Open-xchange | 1 Ox App Suite | 2023-06-02 | N/A | 5.3 MEDIUM |
| OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. | |||||
| CVE-2023-24602 | 1 Open-xchange | 1 Ox App Suite | 2023-06-01 | N/A | 6.1 MEDIUM |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | |||||
| CVE-2023-24601 | 1 Open-xchange | 1 Ox App Suite | 2023-06-01 | N/A | 6.1 MEDIUM |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | |||||
| CVE-2021-38374 | 1 Open-xchange | 1 Ox App Suite | 2022-10-28 | 3.5 LOW | 5.4 MEDIUM |
| OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader URL. | |||||
| CVE-2022-24405 | 1 Open-xchange | 1 Ox App Suite | 2022-08-03 | N/A | 9.8 CRITICAL |
| OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. | |||||
| CVE-2022-23101 | 1 Open-xchange | 1 Ox App Suite | 2022-08-03 | N/A | 6.1 MEDIUM |
| OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message. | |||||
| CVE-2022-23100 | 1 Open-xchange | 1 Ox App Suite | 2022-08-03 | N/A | 9.8 CRITICAL |
| OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). | |||||
| CVE-2021-38378 | 1 Open-xchange | 1 Ox App Suite | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name. | |||||
| CVE-2021-38377 | 1 Open-xchange | 1 Ox App Suite | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results. | |||||
| CVE-2021-38376 | 1 Open-xchange | 1 Ox App Suite | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call. | |||||
| CVE-2021-44212 | 1 Open-xchange | 1 Ox App Suite | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring. | |||||
| CVE-2021-44213 | 1 Open-xchange | 1 Ox App Suite | 2022-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message. | |||||
| CVE-2021-44209 | 1 Open-xchange | 1 Ox App Suite | 2022-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO. | |||||
| CVE-2021-44208 | 1 Open-xchange | 1 Ox App Suite | 2022-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat. | |||||
| CVE-2021-44211 | 1 Open-xchange | 1 Ox App Suite | 2022-03-30 | 3.5 LOW | 5.4 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature. | |||||
| CVE-2021-44210 | 1 Open-xchange | 1 Ox App Suite | 2022-03-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data. | |||||
| CVE-2021-33494 | 1 Open-xchange | 1 Ox App Suite | 2021-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. | |||||