VYPR

OX App Suite

by Open-Xchange

CVEs (21)

  • CVE-2022-24405CriJul 27, 2022
    risk 0.64cvss 9.8epss 0.03

    OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.

  • CVE-2023-24601MedMay 29, 2023
    risk 0.40cvss 6.1epss 0.00

    OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

  • CVE-2022-37306MedApr 16, 2023
    risk 0.40cvss 6.1epss 0.01

    OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.

  • CVE-2022-37307MedDec 26, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.

  • CVE-2022-31469MedDec 26, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.

  • CVE-2022-23101MedJul 27, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message.

  • CVE-2021-44212MedMar 28, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.

  • CVE-2021-44210MedMar 28, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.

  • CVE-2021-44209MedMar 28, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO.

  • CVE-2021-44208MedMar 28, 2022
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat.

  • CVE-2021-38377MedNov 22, 2021
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results.

  • CVE-2021-38375MedNov 22, 2021
    risk 0.40cvss 6.1epss 0.01

    OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message.

  • CVE-2021-37403MedJul 22, 2021
    risk 0.40cvss 6.1epss 0.01

    OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.

  • CVE-2021-37402MedJul 22, 2021
    risk 0.40cvss 6.1epss 0.01

    OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.

  • CVE-2022-29853MedDec 26, 2022
    risk 0.35cvss 5.4epss 0.00

    OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.

  • CVE-2021-38376MedNov 22, 2021
    risk 0.35cvss 5.3epss 0.01

    OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.

  • CVE-2023-24597MedMay 29, 2023
    risk 0.34cvss 5.3epss 0.01

    OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing.

  • CVE-2023-24604MedMay 29, 2023
    risk 0.28cvss 4.3epss 0.01

    OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data.

  • CVE-2023-24599MedMay 29, 2023
    risk 0.28cvss 4.3epss 0.01

    OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion."

  • CVE-2021-38378MedNov 22, 2021
    risk 0.28cvss 4.3epss 0.01

    OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name.

Page 1 of 2