CVE-2020-15004
Description
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OX App Suite up to 7.10.3 is vulnerable to reflected XSS via the stats/diagnostic endpoint's param parameter.
Vulnerability
OX App Suite versions through 7.10.3 contain a reflected cross-site scripting (XSS) vulnerability in the stats/diagnostic endpoint. The param parameter is not properly sanitized before being reflected in the response, allowing an attacker to inject arbitrary HTML or JavaScript. This issue affects all deployments using the affected versions.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a param value with JavaScript payload. The victim must be tricked into clicking the crafted link while authenticated to an OX App Suite instance. No additional privileges or user interaction beyond clicking the link are required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, or other actions performed on behalf of the victim within the OX App Suite application.
Mitigation
Open-Xchange has not published a specific fix in the available references [1]. Users should upgrade to a version later than 7.10.3 or contact the vendor for patch information. As a workaround, administrators can implement web application firewall rules to filter malicious param values.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OX/App Suitedescription
- Range: <=7.10.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- seclists.org/fulldisclosure/2020/Oct/20mitrex_refsource_MISC
- www.open-xchange.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.