Appsuite
by Open-Xchange
CVEs (144)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-13667 | Cri | 0.64 | 9.9 | 0.01 | May 23, 2019 | OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. | ||
| CVE-2017-5212 | Cri | 0.64 | 9.8 | 0.01 | May 23, 2019 | Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control. | ||
| CVE-2017-5210 | Cri | 0.64 | 9.8 | 0.01 | May 23, 2019 | Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Information Exposure. | ||
| CVE-2017-17060 | Cri | 0.64 | 9.8 | 0.01 | May 23, 2019 | OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions. | ||
| CVE-2017-5863 | Cri | 0.64 | 9.8 | 0.01 | May 22, 2019 | Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | ||
| CVE-2018-5752 | Hig | 0.61 | 8.8 | 0.08 | Jun 16, 2018 | The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations… | ||
| CVE-2023-29048 | Hig | 0.57 | 8.8 | 0.01 | Jan 8, 2024 | A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and… | ||
| CVE-2017-8340 | Hig | 0.57 | 8.8 | 0.01 | May 22, 2019 | Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | ||
| CVE-2017-6912 | Hig | 0.57 | 8.8 | 0.01 | May 22, 2019 | Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | ||
| CVE-2023-29051 | Hig | 0.53 | 8.1 | 0.01 | Jan 8, 2024 | User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects… | ||
| CVE-2014-5238 | Hig | 0.51 | 7.8 | 0.02 | Jan 14, 2020 | XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document. | ||
| CVE-2023-29050 | Hig | 0.50 | 7.6 | 0.02 | Jan 8, 2024 | The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load… | ||
| CVE-2025-30188 | Hig | 0.49 | 7.5 | 0.00 | Oct 31, 2025 | Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No… | ||
| CVE-2023-26454 | Hig | 0.49 | 7.6 | 0.00 | Nov 2, 2023 | Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL… | ||
| CVE-2023-26453 | Hig | 0.49 | 7.6 | 0.00 | Nov 2, 2023 | Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL… | ||
| CVE-2023-26452 | Hig | 0.49 | 7.6 | 0.00 | Nov 2, 2023 | Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by… | ||
| CVE-2023-26451 | Hig | 0.49 | 7.5 | 0.01 | Aug 2, 2023 | Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result,… | ||
| CVE-2023-26439 | Hig | 0.49 | 7.6 | 0.00 | Aug 2, 2023 | The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users… | ||
| CVE-2014-5236 | Hig | 0.49 | 7.5 | 0.04 | Jan 31, 2020 | Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument… | ||
| CVE-2017-5211 | Hig | 0.49 | 7.5 | 0.01 | May 23, 2019 | Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Content Spoofing. |
- risk 0.64cvss 9.9epss 0.01
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
- risk 0.64cvss 9.8epss 0.01
Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control.
- risk 0.64cvss 9.8epss 0.01
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Information Exposure.
- risk 0.64cvss 9.8epss 0.01
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecure Permissions.
- risk 0.64cvss 9.8epss 0.01
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
- risk 0.61cvss 8.8epss 0.08
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations…
- risk 0.57cvss 8.8epss 0.01
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and…
- risk 0.57cvss 8.8epss 0.01
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
- risk 0.57cvss 8.8epss 0.01
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
- risk 0.53cvss 8.1epss 0.01
User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects…
- risk 0.51cvss 7.8epss 0.02
XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document.
- risk 0.50cvss 7.6epss 0.02
The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load…
- risk 0.49cvss 7.5epss 0.00
Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No…
- risk 0.49cvss 7.6epss 0.00
Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL…
- risk 0.49cvss 7.6epss 0.00
Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL…
- risk 0.49cvss 7.6epss 0.00
Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by…
- risk 0.49cvss 7.5epss 0.01
Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result,…
- risk 0.49cvss 7.6epss 0.00
The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users…
- risk 0.49cvss 7.5epss 0.04
Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument…
- risk 0.49cvss 7.5epss 0.01
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Content Spoofing.
Page 1 of 8