Open-xchange Appsuite Security Vulnerabilities and Issues — Open-xchange Appsuite CVE List

Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the body of the email and ...

6.1CVSS6.2AI score0.00748EPSS

CVE•added 2021/04/30 10:15 p.m.•75 views

CVE-2021-31934

OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.

6.1CVSS5.8AI score0.00174EPSS

CVE•added 2020/01/02 7:15 p.m.•69 views

CVE-2013-7485

Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. NOTE: this vulnerab...

6.1CVSS6AI score0.00947EPSS

CVE•added 2020/01/02 7:15 p.m.•68 views

CVE-2013-7486

Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affec...

6.1CVSS6AI score0.00922EPSS

CVE•added 2022/12/26 2:15 a.m.•66 views

CVE-2022-31469

OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.

6.1CVSS5.9AI score0.00553EPSS

CVE•added 2020/01/06 8:15 p.m.•65 views

CVE-2019-16717

OX App Suite through 7.10.2 has XSS.

6.1CVSS6.3AI score0.00361EPSS

CVE•added 2018/06/16 1:29 a.m.•63 views

CVE-2018-5753

The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.

6.5CVSS6AI score0.01833EPSS

CVE•added 2019/10/14 5:15 p.m.•62 views

CVE-2019-14227

OX App Suite 7.10.1 and 7.10.2 allows XSS.

6.1CVSS6.3AI score0.00288EPSS

CVE•added 2022/12/26 3:15 a.m.•62 views

CVE-2022-37308

OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.

6.1CVSS5.9AI score0.00553EPSS

CVE•added 2022/12/26 2:15 a.m.•60 views

CVE-2022-37307

OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.

6.1CVSS6AI score0.00858EPSS

CVE•added 2022/12/26 4:15 a.m.•60 views

CVE-2022-37309

OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.

6.1CVSS6AI score0.00553EPSS

CVE•added 2018/06/16 1:29 a.m.•55 views

CVE-2017-17062

The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.

6.5CVSS5.9AI score0.01966EPSS

CVE•added 2018/07/05 8:29 p.m.•54 views

CVE-2018-9997

Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page wit...

6.1CVSS6AI score0.00319EPSS

CVE•added 2021/01/12 8:15 a.m.•53 views

CVE-2020-24701

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

6.1CVSS5.9AI score0.35513EPSS

CVE•added 2021/01/12 10:15 p.m.•50 views

CVE-2021-23927

OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.

6.4CVSS6.3AI score0.00129EPSS

CVE•added 2024/02/12 9:15 a.m.•50 views

CVE-2023-41706

Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined driv...

6.5CVSS6.5AI score0.00227EPSS

CVE•added 2018/06/16 1:29 a.m.•48 views

CVE-2018-5751

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.

6.5CVSS5.7AI score0.01346EPSS

CVE•added 2019/05/23 3:29 p.m.•47 views

CVE-2017-15030

Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.7AI score0.0045EPSS

CVE•added 2021/05/03 8:15 p.m.•47 views

CVE-2020-28945

OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item.

6.1CVSS5.9AI score0.00403EPSS

CVE•added 2021/01/12 10:15 p.m.•47 views

CVE-2021-23928

OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2017/06/08 9:29 p.m.•46 views

CVE-2015-1588

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21.

6.1CVSS6.1AI score0.00292EPSS

CVE•added 2021/01/12 10:15 p.m.•46 views

CVE-2021-23933

OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2019/05/23 3:29 p.m.•45 views

CVE-2017-5213

Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.7AI score0.0045EPSS

CVE•added 2019/01/30 3:29 p.m.•45 views

CVE-2018-12611

OX App Suite 7.8.4 and earlier allows Directory Traversal.

6.1CVSS6.2AI score0.00498EPSS

CVE•added 2021/01/12 10:15 p.m.•45 views

CVE-2021-23929

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?delivery=view URI.

6.1CVSS5.8AI score0.00174EPSS

CVE•added 2021/01/12 10:15 p.m.•45 views

CVE-2021-23931

OX App Suite through 7.10.4 allows XSS via an inline binary file.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2016/12/15 6:59 a.m.•44 views

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This...

6.1CVSS6.2AI score0.00144EPSS

CVE•added 2021/07/22 5:15 p.m.•44 views

CVE-2021-37402

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.

6.1CVSS6AI score0.00978EPSS

CVE•added 2021/01/12 10:15 p.m.•43 views

CVE-2021-23932

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2021/01/12 10:15 p.m.•43 views

CVE-2021-23935

OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2021/01/12 10:15 p.m.•41 views

CVE-2021-23930

OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.

6.1CVSS6AI score0.00174EPSS

CVE•added 2019/05/22 8:29 p.m.•40 views

CVE-2017-9808

OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.1AI score0.00359EPSS

CVE•added 2019/01/30 3:29 p.m.•40 views

CVE-2018-12609

OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery.

6.5CVSS6.5AI score0.00386EPSS

CVE•added 2021/01/12 10:15 p.m.•40 views

CVE-2021-23934

OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.

6.1CVSS5.9AI score0.00174EPSS

CVE•added 2021/07/22 5:15 p.m.•39 views

CVE-2021-26698

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.

6.1CVSS6AI score0.01456EPSS

CVE•added 2023/11/02 2:15 p.m.•39 views

CVE-2023-29043

Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when performing certain a...

6.1CVSS6.2AI score0.0012EPSS

CVE•added 2019/05/10 3:29 p.m.•38 views

CVE-2017-12885

OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

6.1CVSS6.2AI score0.0045EPSS

CVE•added 2021/01/12 10:15 p.m.•38 views

CVE-2021-23936

OX App Suite through 7.10.4 allows XSS via the subject of a task.

6.1CVSS6AI score0.00174EPSS

CVE•added 2014/11/21 3:59 p.m.•37 views

CVE-2014-7871

SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

6.5CVSS8AI score0.00308EPSS

CVE•added 2016/12/15 6:59 a.m.•37 views

CVE-2016-6843

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a use...

6.1CVSS6.2AI score0.002EPSS

CVE•added 2020/06/16 2:15 p.m.•37 views

CVE-2020-8541

OX App Suite through 7.10.3 allows XXE attacks.

6.5CVSS6.5AI score0.00207EPSS

CVE•added 2020/06/16 2:15 p.m.•37 views

CVE-2020-8544

OX App Suite through 7.10.3 allows SSRF.

6.5CVSS6.5AI score0.00207EPSS

CVE•added 2016/12/15 6:59 a.m.•36 views

CVE-2016-4026

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can b...

6.1CVSS6.2AI score0.00211EPSS

CVE•added 2016/12/15 6:59 a.m.•36 views

CVE-2016-6844

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can...

6.1CVSS6.3AI score0.00265EPSS

CVE•added 2016/12/15 6:59 a.m.•35 views

CVE-2016-2840

An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. Wh...

6.1CVSS6.2AI score0.0034EPSS

CVE•added 2016/12/15 6:59 a.m.•35 views

CVE-2016-4045

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed w...

6.1CVSS6.2AI score0.00211EPSS

CVE•added 2016/12/15 6:59 a.m.•34 views

CVE-2016-6842

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed wit...

6.1CVSS6.3AI score0.00265EPSS

Total number of security vulnerabilities61