Open-xchange Appsuite@* Security Vulnerabilities and Issues — Open-xchange Appsuite@* CVE List

Lucene search

Open-xchangeOpen-xchange Appsuite*

125 matches found

CVE•added 2020/01/31 10:15 p.m.•140 views

CVE-2014-5236

Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file.

7.5CVSS7.4AI score0.06674EPSS

CVE•added 2018/06/16 1:29 a.m.•130 views

CVE-2018-5754

Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.

5.4CVSS5.6AI score0.00322EPSS

CVE•added 2020/02/21 9:15 p.m.•125 views

CVE-2019-18846

OX App Suite through 7.10.2 allows SSRF.

5CVSS5.2AI score0.00209EPSS

CVE•added 2018/06/16 1:29 a.m.•123 views

CVE-2018-5755

Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet.

7.1CVSS5.7AI score0.00616EPSS

CVE•added 2021/04/30 10:15 p.m.•84 views

CVE-2020-28943

OX App Suite 7.10.4 and earlier allows SSRF via a snippet.

6.5CVSS6.4AI score0.00212EPSS

CVE•added 2021/04/30 10:15 p.m.•84 views

CVE-2021-31935

OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.

6.1CVSS5.8AI score0.00174EPSS

CVE•added 2022/12/26 4:15 a.m.•78 views

CVE-2022-37310

OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.

6.1CVSS5.9AI score0.00553EPSS

CVE•added 2021/04/30 10:15 p.m.•75 views

CVE-2021-31934

OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.

6.1CVSS5.8AI score0.00174EPSS

CVE•added 2022/12/26 2:15 a.m.•69 views

CVE-2022-37313

OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.

5.3CVSS5.3AI score0.00369EPSS

CVE•added 2019/10/14 5:15 p.m.•68 views

CVE-2019-14226

OX App Suite through 7.10.2 has Insecure Permissions.

8.1CVSS8AI score0.00195EPSS

CVE•added 2022/12/26 2:15 a.m.•66 views

CVE-2022-31469

OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.

6.1CVSS5.9AI score0.00553EPSS

CVE•added 2018/06/16 1:29 a.m.•65 views

CVE-2018-5752

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and...

8.8CVSS6.7AI score0.0197EPSS

CVE•added 2020/01/06 8:15 p.m.•65 views

CVE-2019-16716

OX App Suite through 7.10.2 has Incorrect Access Control.

8.5CVSS6.5AI score0.00384EPSS

CVE•added 2020/01/06 8:15 p.m.•65 views

CVE-2019-16717

OX App Suite through 7.10.2 has XSS.

6.1CVSS6.3AI score0.00361EPSS

CVE•added 2018/06/16 1:29 a.m.•63 views

CVE-2018-5753

The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.

6.5CVSS6AI score0.01833EPSS

CVE•added 2022/12/26 4:15 a.m.•63 views

CVE-2022-29852

OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.

5.4CVSS5.3AI score0.00584EPSS

CVE•added 2022/12/26 4:15 a.m.•62 views

CVE-2022-29853

OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.

5.4CVSS5.2AI score0.00584EPSS

CVE•added 2022/12/26 3:15 a.m.•62 views

CVE-2022-37308

OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.

6.1CVSS5.9AI score0.00553EPSS

CVE•added 2022/12/26 2:15 a.m.•60 views

CVE-2022-37307

OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.

6.1CVSS6AI score0.00858EPSS

CVE•added 2022/12/26 4:15 a.m.•60 views

CVE-2022-37309

OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.

6.1CVSS6AI score0.00553EPSS

CVE•added 2022/12/26 2:15 a.m.•58 views

CVE-2022-37311

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.

5.3CVSS5.2AI score0.00243EPSS

CVE•added 2018/06/16 1:29 a.m.•57 views

CVE-2018-5756

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a de...

4.3CVSS5.3AI score0.01022EPSS

CVE•added 2022/12/26 2:15 a.m.•57 views

CVE-2022-37312

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.

5.3CVSS5.2AI score0.00243EPSS

CVE•added 2018/06/16 1:29 a.m.•55 views

CVE-2017-17062

The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.

6.5CVSS5.9AI score0.01966EPSS

CVE•added 2023/11/02 2:15 p.m.•55 views

CVE-2023-26453

Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be execut...

8.8CVSS8.7AI score0.00055EPSS

CVE•added 2018/07/05 8:29 p.m.•54 views

CVE-2018-9997

Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page wit...

6.1CVSS6AI score0.00319EPSS

CVE•added 2021/01/12 8:15 a.m.•53 views

CVE-2020-24701

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

6.1CVSS5.9AI score0.35513EPSS

CVE•added 2023/11/02 2:15 p.m.•52 views

CVE-2023-29046

Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time...

4.3CVSS4.7AI score0.00061EPSS

CVE•added 2019/06/17 8:15 p.m.•50 views

CVE-2019-7158

OX App Suite 7.10.0 and earlier has Incorrect Access Control.

9.8CVSS9.5AI score0.00518EPSS

CVE•added 2021/01/12 10:15 p.m.•50 views

CVE-2021-23927

OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.

6.4CVSS6.3AI score0.00129EPSS

CVE•added 2024/02/12 9:15 a.m.•50 views

CVE-2023-41706

Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined driv...

6.5CVSS6.5AI score0.00227EPSS

CVE•added 2018/06/16 1:29 a.m.•48 views

CVE-2018-5751

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.

6.5CVSS5.7AI score0.01346EPSS

CVE•added 2019/05/23 3:29 p.m.•47 views

CVE-2017-15030

Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.7AI score0.0045EPSS

CVE•added 2021/05/03 8:15 p.m.•47 views

CVE-2020-28945

OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item.

6.1CVSS5.9AI score0.00403EPSS

CVE•added 2021/01/12 10:15 p.m.•47 views

CVE-2021-23928

OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2017/06/08 9:29 p.m.•46 views

CVE-2015-1588

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21.

6.1CVSS6.1AI score0.00292EPSS

CVE•added 2019/05/23 6:29 p.m.•46 views

CVE-2017-13667

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.

9.9CVSS9.4AI score0.00405EPSS

CVE•added 2019/05/23 4:29 p.m.•46 views

CVE-2017-13668

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

5.4CVSS6.3AI score0.00343EPSS

CVE•added 2019/06/18 1:15 p.m.•46 views

CVE-2019-7159

OX App Suite 7.10.1 and earlier allows Information Exposure.

7.5CVSS7.5AI score0.00402EPSS

CVE•added 2021/01/12 10:15 p.m.•46 views

CVE-2021-23933

OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2023/11/02 2:15 p.m.•46 views

CVE-2023-29044

Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get esc...

5.4CVSS5.8AI score0.00156EPSS

CVE•added 2019/05/23 3:29 p.m.•45 views

CVE-2017-5213

Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.7AI score0.0045EPSS

CVE•added 2019/01/30 3:29 p.m.•45 views

CVE-2018-12611

OX App Suite 7.8.4 and earlier allows Directory Traversal.

6.1CVSS6.2AI score0.00498EPSS

CVE•added 2021/01/12 8:15 a.m.•45 views

CVE-2020-24700

OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.

5.5CVSS5.5AI score0.00295EPSS

CVE•added 2021/01/12 10:15 p.m.•45 views

CVE-2021-23929

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI.

6.1CVSS5.8AI score0.00174EPSS

CVE•added 2021/01/12 10:15 p.m.•45 views

CVE-2021-23931

OX App Suite through 7.10.4 allows XSS via an inline binary file.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2013/10/03 7:55 p.m.•44 views

CVE-2013-5690

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite before 7.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) content with the text/xml MIME type or (2) the Status comment field of an appointment.

3.5CVSS5.4AI score0.00159EPSS

CVE•added 2016/12/15 6:59 a.m.•44 views

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This...

6.1CVSS6.2AI score0.00144EPSS

CVE•added 2016/12/15 6:59 a.m.•44 views

CVE-2016-6848

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without a...

5.5CVSS5.9AI score0.00095EPSS

CVE•added 2019/05/10 4:29 p.m.•44 views

CVE-2017-12884

OX Software GmbH App Suite 7.8.4 and earlier is affected by: Information Exposure.

7.5CVSS7.5AI score0.00386EPSS

Total number of security vulnerabilities125