Open-xchange Security Vulnerabilities
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads t...
5.4CVSS
5.8AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end u...
7.4CVSS
7.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can b...
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the...
3.5CVSS
4AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encrypt...
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed w...
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type,...
5.8CVSS
5.7AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker...
4.3CVSS
4.4AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow instructions injected b...
4.3CVSS
4.6AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially cra...
6.1CVSS
6.2AI Score
0.003EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This...
6.1CVSS
6.2AI Score
0.002EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed wit...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a use...
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a p...
6.1CVSS
6.3AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10,...
6.1CVSS
6AI Score
0.002EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without a...
5.5CVSS
5.9AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Ma...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed ...
6.1CVSS
6.2AI Score
0.003EPSS
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware serv...
4.3CVSS
5AI Score
0.001EPSS
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, u...
6.1CVSS
6.2AI Score
0.002EPSS
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted...
6.1CVSS
6.2AI Score
0.002EPSS
7.5CVSS
7.5AI Score
0.001EPSS
OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.2AI Score
0.001EPSS
9.9CVSS
9.4AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
5.4CVSS
6.3AI Score
0.001EPSS
4.3CVSS
5.6AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.7AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions.
9.8CVSS
9.4AI Score
0.003EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
5.4CVSS
6.3AI Score
0.001EPSS
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
6.5CVSS
5.9AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Information Exposure.
9.8CVSS
9.4AI Score
0.003EPSS
7.5CVSS
8AI Score
0.001EPSS
9.8CVSS
9.5AI Score
0.004EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.7AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
9.8CVSS
9.5AI Score
0.004EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.7AI Score
0.001EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
8.8CVSS
8.7AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.
6.1CVSS
6AI Score
0.002EPSS
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
8.8CVSS
8.7AI Score
0.002EPSS
5.3CVSS
5.4AI Score
0.001EPSS
Open-Xchange GmbH OX Cloud Plugins 1.4.0 and earlier is affected by: Missing Authorization.
7.2CVSS
7AI Score
0.002EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
6.1CVSS
6.1AI Score
0.001EPSS
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Information Exposure.
5.3CVSS
5.6AI Score
0.001EPSS
8.8CVSS
8.6AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
5.3CVSS
5.5AI Score
0.002EPSS
6.1CVSS
6.2AI Score
0.001EPSS
5.4CVSS
5.5AI Score
0.001EPSS