CVE-2022-24405

OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.

CVE-2022-24406

OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.

CVE-2021-44209

OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO.

CVE-2021-44212

OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.

CVE-2021-44213

OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.

CVE-2021-44210

OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.

CVE-2021-44211

OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature.

CVE-2021-44208

OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat.

CVE-2022-31468

OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.

CVE-2022-23100

OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).

CVE-2022-29851

documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as a PDF document.

CVE-2022-23101

OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message.