Open-Xchange Appsuite Security Vulnerabilities
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a p...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without a...
5.5CVSS
5.9AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Ma...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware serv...
4.3CVSS
5AI Score
0.001EPSS
7.5CVSS
7.5AI Score
0.001EPSS
OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.2AI Score
0.001EPSS
9.9CVSS
9.4AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
5.4CVSS
6.3AI Score
0.001EPSS
4.3CVSS
5.6AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.7AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions.
9.8CVSS
9.4AI Score
0.003EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
5.4CVSS
6.3AI Score
0.001EPSS
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
6.5CVSS
5.9AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Information Exposure.
9.8CVSS
9.4AI Score
0.003EPSS
7.5CVSS
8AI Score
0.001EPSS
9.8CVSS
9.5AI Score
0.004EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.7AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
9.8CVSS
9.5AI Score
0.004EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.7AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
8.8CVSS
8.7AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.
6.1CVSS
6AI Score
0.002EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
8.8CVSS
8.7AI Score
0.002EPSS
5.3CVSS
5.4AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.1AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Information Exposure.
5.3CVSS
5.6AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
5.3CVSS
5.5AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.001EPSS
5.4CVSS
5.5AI Score
0.001EPSS
5.4CVSS
5.4AI Score
0.001EPSS
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.
6.5CVSS
5.7AI Score
0.002EPSS
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and...
8.8CVSS
6.7AI Score
0.007EPSS
The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.
6.5CVSS
6AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.
5.4CVSS
5.6AI Score
0.001EPSS
Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet.
5.5CVSS
5.7AI Score
0.002EPSS
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a de...
4.3CVSS
5.3AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page wit...
6.1CVSS
6AI Score
0.001EPSS
Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks.
6.5CVSS
6.2AI Score
0.001EPSS
8.1CVSS
8AI Score
0.001EPSS
5.4CVSS
5.5AI Score
0.0005EPSS
3.3CVSS
4.3AI Score
0.0004EPSS
5.4CVSS
5.5AI Score
0.001EPSS
8.1CVSS
8AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.005EPSS
6.6CVSS
6.5AI Score
0.01EPSS
6.1CVSS
6.3AI Score
0.008EPSS
5CVSS
5.2AI Score
0.002EPSS
9.8CVSS
9.5AI Score
0.003EPSS