Open-xchange Appsuite Security Vulnerabilities and Issues — Page 2 of Open-xchange Appsuite CVE List

CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP headers and conduct open redirect attacks by leveraging improper sanitization ...

5CVSS7.2AI score0.00245EPSS

cve•added 2013/10/03 7:55 p.m.•44 views

CVE-2013-5690

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite before 7.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) content with the text/xml MIME type or (2) the Status comment field of an appointment.

3.5CVSS5.4AI score0.00159EPSS

cve•added 2016/12/15 6:59 a.m.•44 views

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This...

6.1CVSS6.2AI score0.00144EPSS

cve•added 2016/12/15 6:59 a.m.•44 views

CVE-2016-6848

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without a...

5.5CVSS5.9AI score0.00095EPSS

cve•added 2019/05/10 4:29 p.m.•44 views

CVE-2017-12884

OX Software GmbH App Suite 7.8.4 and earlier is affected by: Information Exposure.

7.5CVSS7.5AI score0.00386EPSS

cve•added 2021/07/22 5:15 p.m.•44 views

CVE-2021-37402

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.

6.1CVSS6AI score0.00978EPSS

cve•added 2023/11/02 2:15 p.m.•44 views

CVE-2023-26452

Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL st...

8.8CVSS8.7AI score0.00055EPSS

cve•added 2013/09/25 10:31 a.m.•43 views

CVE-2013-5935

The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 does not properly restrict the set of network interfaces that can receive API calls, which makes it easier for remote attackers to obtain access by sending network traffic from an unintended loc...

4.3CVSS6.3AI score0.00514EPSS

cve•added 2021/01/12 10:15 p.m.•43 views

CVE-2021-23932

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.

6.1CVSS5.9AI score0.00174EPSS

cve•added 2021/01/12 10:15 p.m.•43 views

CVE-2021-23935

OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.

6.1CVSS5.9AI score0.00174EPSS

cve•added 2014/01/26 8:55 p.m.•42 views

CVE-2013-7140

XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute p...

4CVSS6.4AI score0.00454EPSS

cve•added 2014/01/26 8:55 p.m.•42 views

CVE-2013-7143

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule.

4.3CVSS5.8AI score0.00329EPSS

cve•added 2015/01/05 8:59 p.m.•42 views

CVE-2014-1679

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file.

4.3CVSS5.8AI score0.00285EPSS

cve•added 2015/09/28 4:59 p.m.•42 views

CVE-2015-5375

Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web scrip...

4.3CVSS5.8AI score0.00359EPSS

cve•added 2019/05/23 3:29 p.m.•42 views

CVE-2017-15029

Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.

4.3CVSS5.6AI score0.00182EPSS

cve•added 2019/05/23 3:29 p.m.•42 views

CVE-2017-17060

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions.

9.8CVSS9.4AI score0.00459EPSS

cve•added 2019/05/22 8:29 p.m.•42 views

CVE-2017-5863

Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.

9.8CVSS9.5AI score0.00588EPSS

cve•added 2019/05/22 7:29 p.m.•42 views

CVE-2017-9809

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Information Exposure.

5.3CVSS5.6AI score0.00237EPSS

cve•added 2013/09/05 11:44 a.m.•41 views

CVE-2013-5698

Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and Server before 6.22.0 rev16, 6.22.1 before rev19, 7.0.1 before rev7, 7.0.2 before rev11, and 7.2.0 before rev8 allows remote authenticated users to inject arbitrary web script or HTML via a delivery=view action, aka Bug ID 26373, ...

3.5CVSS5.3AI score0.00225EPSS

cve•added 2013/11/20 1:19 p.m.•41 views

CVE-2013-6074

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14 allows remote attackers to inject arbitrary web script or HTML via an attached SVG file.

4.3CVSS5.8AI score0.00475EPSS

cve•added 2016/12/15 6:59 a.m.•41 views

CVE-2016-3174

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end u...

7.4CVSS7.3AI score0.00201EPSS

cve•added 2021/01/12 10:15 p.m.•41 views

CVE-2021-23930

OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.

6.1CVSS6AI score0.00174EPSS

cve•added 2021/07/22 5:15 p.m.•41 views

CVE-2021-26699

OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.

5.8CVSS5.4AI score0.00473EPSS

cve•added 2013/09/25 10:31 a.m.•40 views

CVE-2013-5936

The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 allows remote attackers to obtain sensitive information about (1) runtime activity, (2) network configuration, (3) user sessions, (4) the memcache interface, and (5) the REST interface via API c...

4.3CVSS5.9AI score0.00514EPSS

cve•added 2014/04/24 5:6 a.m.•40 views

CVE-2014-2391

The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain poten...

4.3CVSS6.6AI score0.0023EPSS

cve•added 2016/12/15 6:59 a.m.•40 views

CVE-2016-4046

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type,...

5.8CVSS5.7AI score0.00181EPSS

cve•added 2019/05/23 3:29 p.m.•40 views

CVE-2017-5210

Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Information Exposure.

9.8CVSS9.4AI score0.00476EPSS

cve•added 2019/05/23 3:29 p.m.•40 views

CVE-2017-5212

Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control.

9.8CVSS9.5AI score0.00588EPSS

cve•added 2019/05/22 8:29 p.m.•40 views

CVE-2017-9808

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.1AI score0.00359EPSS

cve•added 2019/01/30 3:29 p.m.•40 views

CVE-2018-12609

OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery.

6.5CVSS6.5AI score0.00386EPSS

cve•added 2019/08/20 1:15 p.m.•40 views

CVE-2019-11522

OX App Suite 7.10.0 to 7.10.2 allows XSS.

5.4CVSS5.5AI score0.00181EPSS

cve•added 2021/01/12 10:15 p.m.•40 views

CVE-2021-23934

OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.

6.1CVSS5.9AI score0.00174EPSS

cve•added 2013/09/05 11:44 a.m.•39 views

CVE-2013-5035

Multiple race conditions in HtmlCleaner before 2.6, as used in Open-Xchange AppSuite 7.2.2 before rev13 and other products, allow remote authenticated users to read the private e-mail of other persons in opportunistic circumstances by leveraging lack of thread safety and performing a rapid series o...

4.9CVSS6.5AI score0.00132EPSS

cve•added 2013/10/03 7:55 p.m.•39 views

CVE-2013-6009

CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the ajax/defer servlet.

4.3CVSS7.2AI score0.00245EPSS

cve•added 2014/01/26 8:55 p.m.•39 views

CVE-2013-7142

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions.

4.3CVSS5.9AI score0.00295EPSS

cve•added 2014/09/17 2:55 p.m.•39 views

CVE-2014-5235

Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds.

4.3CVSS5.7AI score0.00295EPSS

cve•added 2019/05/23 3:29 p.m.•39 views

CVE-2017-17061

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

5.4CVSS6.3AI score0.00343EPSS

cve•added 2019/05/23 3:29 p.m.•39 views

CVE-2017-5211

Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Content Spoofing.

7.5CVSS8AI score0.00289EPSS

cve•added 2020/10/23 5:15 a.m.•39 views

CVE-2020-15002

OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.

5CVSS5.1AI score0.09242EPSS

cve•added 2021/07/22 5:15 p.m.•39 views

CVE-2021-26698

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.

6.1CVSS6AI score0.01456EPSS

cve•added 2023/11/02 2:15 p.m.•39 views

CVE-2023-29043

Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when performing certain a...

6.1CVSS6.2AI score0.0012EPSS

cve•added 2023/11/02 2:15 p.m.•39 views

CVE-2023-29047

Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible t...

7.3CVSS7.3AI score0.0005EPSS

cve•added 2013/09/25 10:31 a.m.•38 views

CVE-2013-5934

Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 has a hardcoded password for node join operations, which allows remote attackers to expand a cluster by finding this password in the source code and then sending the password in a Hazelcast cluster API call, a different vul...

4CVSS6.8AI score0.00514EPSS

cve•added 2014/01/26 8:55 p.m.•38 views

CVE-2013-7141

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "

4.3CVSS5.8AI score0.00295EPSS

cve•added 2014/04/24 5:6 a.m.•38 views

CVE-2014-2392

The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer lo...

4.3CVSS6.4AI score0.0023EPSS

cve•added 2016/12/15 6:59 a.m.•38 views

CVE-2016-4027

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the...

3.5CVSS4AI score0.00215EPSS

cve•added 2019/05/10 3:29 p.m.•38 views

CVE-2017-12885

OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.2AI score0.0045EPSS

Total number of security vulnerabilities157