App Suite
by Open-Xchange
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-23100 | Cri | 0.64 | 9.8 | 0.03 | Jul 27, 2022 | OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). | ||
| CVE-2021-23927 | Med | 0.42 | 6.4 | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. | ||
| CVE-2020-8541 | Med | 0.42 | 6.5 | 0.01 | Jun 16, 2020 | OX App Suite through 7.10.3 allows XXE attacks. | ||
| CVE-2021-44213 | Med | 0.40 | 6.1 | 0.01 | Mar 28, 2022 | OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message. | ||
| CVE-2021-44210 | Med | 0.40 | 6.1 | 0.01 | Mar 28, 2022 | OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data. | ||
| CVE-2021-33494 | Med | 0.40 | 6.1 | 0.01 | Nov 22, 2021 | OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. | ||
| CVE-2021-33492 | Med | 0.40 | 6.1 | 0.01 | Nov 22, 2021 | OX App Suite 7.10.5 allows XSS via an OX Chat room name. | ||
| CVE-2021-26698 | Med | 0.40 | 6.1 | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used. | ||
| CVE-2021-31935 | Med | 0.40 | 6.1 | 0.01 | Apr 30, 2021 | OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. | ||
| CVE-2021-23936 | Med | 0.40 | 6.1 | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via the subject of a task. | ||
| CVE-2021-23934 | Med | 0.40 | 6.1 | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. | ||
| CVE-2021-23930 | Med | 0.40 | 6.1 | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. | ||
| CVE-2022-23099 | Med | 0.35 | 5.4 | 0.01 | Jul 27, 2022 | OX App Suite through 7.10.6 allows XSS by forcing block-wise read. | ||
| CVE-2021-44211 | Med | 0.35 | 5.4 | 0.01 | Mar 28, 2022 | OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature. | ||
| CVE-2021-38376 | Med | 0.35 | 5.3 | 0.01 | Nov 22, 2021 | OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call. |
- risk 0.64cvss 9.8epss 0.03
OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).
- risk 0.42cvss 6.4epss 0.01
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
- risk 0.42cvss 6.5epss 0.01
OX App Suite through 7.10.3 allows XXE attacks.
- risk 0.40cvss 6.1epss 0.01
OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.
- risk 0.40cvss 6.1epss 0.01
OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.
- risk 0.40cvss 6.1epss 0.01
OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering.
- risk 0.40cvss 6.1epss 0.01
OX App Suite 7.10.5 allows XSS via an OX Chat room name.
- risk 0.40cvss 6.1epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.
- risk 0.40cvss 6.1epss 0.01
OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
- risk 0.40cvss 6.1epss 0.01
OX App Suite through 7.10.4 allows XSS via the subject of a task.
- risk 0.40cvss 6.1epss 0.01
OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
- risk 0.40cvss 6.1epss 0.01
OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
- risk 0.35cvss 5.4epss 0.01
OX App Suite through 7.10.6 allows XSS by forcing block-wise read.
- risk 0.35cvss 5.4epss 0.01
OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature.
- risk 0.35cvss 5.3epss 0.01
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.