CVE-2014-5236

Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file.

CVE-2019-18846

OX App Suite through 7.10.2 allows SSRF.

CVE-2019-16716

OX App Suite through 7.10.2 has Incorrect Access Control.

CVE-2019-16717

OX App Suite through 7.10.2 has XSS.

CVE-2020-15002

OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.

CVE-2014-5238

XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document.

CVE-2020-12645

OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.

CVE-2020-12646

OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.

CVE-2020-12644

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.

CVE-2020-12643

OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.