27 matches found
CVE-2022-24406
OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.
CVE-2022-43697
OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob.
CVE-2024-23187
Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deplo...
CVE-2024-23186
E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer m...
CVE-2021-44209
OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO.
CVE-2021-44212
OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.
CVE-2021-44213
OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.
CVE-2021-44210
OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.
CVE-2021-44208
OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat.
CVE-2022-31468
OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.
CVE-2021-33493
The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.
CVE-2022-23101
OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message.
CVE-2023-24602
OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title.
CVE-2022-43696
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.
CVE-2021-33488
chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related hook.
CVE-2022-37306
OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.
CVE-2021-33492
OX App Suite 7.10.5 allows XSS via an OX Chat room name.
CVE-2021-33489
OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file.
CVE-2021-33491
OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records.
CVE-2023-24601
OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.
CVE-2021-33495
OX App Suite 7.10.5 allows XSS via an OX Chat system message.
CVE-2023-24603
OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data.
CVE-2021-33490
OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature.
CVE-2021-33494
OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering.
CVE-2021-38375
OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message.
CVE-2021-38377
OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results.
CVE-2023-29049
The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. Use...