Ox App Suite Security Vulnerabilities and Issues — Ox App Suite CVE List

Lucene search

Open-xchangeOx App Suite

14 matches found

CVE•added 2023/04/15 2:15 a.m.•271 views

CVE-2022-43699

OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address).

4.3CVSS4.7AI score0.00065EPSS

CVE•added 2023/04/15 2:15 a.m.•199 views

CVE-2022-43697

OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob.

6.1CVSS5.9AI score0.00098EPSS

CVE•added 2023/05/29 3:15 a.m.•67 views

CVE-2023-24598

OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user.

4.3CVSS4.3AI score0.00078EPSS

CVE•added 2023/04/15 2:15 a.m.•46 views

CVE-2022-43698

OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list.

4.3CVSS4.7AI score0.00065EPSS

CVE•added 2023/05/29 3:15 a.m.•45 views

CVE-2023-24599

OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion."

4.3CVSS4.6AI score0.00064EPSS

CVE•added 2023/05/29 3:15 a.m.•44 views

CVE-2023-24602

OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title.

6.1CVSS5.9AI score0.00166EPSS

CVE•added 2023/04/15 2:15 a.m.•43 views

CVE-2022-43696

OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

6.1CVSS5.9AI score0.00098EPSS

CVE•added 2023/04/16 2:15 a.m.•42 views

CVE-2022-37306

OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.

6.1CVSS5.9AI score0.00166EPSS

CVE•added 2023/05/29 2:15 a.m.•42 views

CVE-2023-24597

OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing.

5.3CVSS5.3AI score0.00084EPSS

CVE•added 2023/05/29 3:15 a.m.•40 views

CVE-2023-24604

OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data.

4.3CVSS4.5AI score0.00047EPSS

CVE•added 2023/05/29 3:15 a.m.•39 views

CVE-2023-24601

OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

6.1CVSS5.9AI score0.00166EPSS

CVE•added 2023/05/29 3:15 a.m.•37 views

CVE-2023-24600

OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book.

4.3CVSS4.4AI score0.00042EPSS

CVE•added 2023/05/29 3:15 a.m.•37 views

CVE-2023-24603

OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data.

6.5CVSS6.3AI score0.00069EPSS

CVE•added 2023/05/29 3:15 a.m.•36 views

CVE-2023-24605

OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens.

4.2CVSS4.5AI score0.0006EPSS