VYPR

Appsuite

by Open-Xchange

CVEs (218)

  • CVE-2016-5124MedDec 15, 2016
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image…

  • CVE-2016-4045MedDec 15, 2016
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script…

  • CVE-2016-4026MedDec 15, 2016
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content.…

  • CVE-2016-2840MedDec 15, 2016
    risk 0.40cvss 6.1epss 0.02

    An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted…

  • CVE-2018-5755MedJun 16, 2018
    risk 0.39cvss 5.5epss 0.08

    Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a…

  • CVE-2018-5754MedJun 16, 2018
    risk 0.38cvss 5.4epss 0.03

    Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the…

  • CVE-2016-4046MedDec 15, 2016
    risk 0.38cvss 5.8epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending…

  • CVE-2016-6848MedDec 15, 2016
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a…

  • CVE-2025-30186MedNov 27, 2025
    risk 0.35cvss 5.4epss 0.00

    Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch…

  • CVE-2025-30191MedOct 31, 2025
    risk 0.35cvss 5.4epss 0.00

    Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the…

  • CVE-2024-23191MedApr 8, 2024
    risk 0.35cvss 5.4epss 0.01

    Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to…

  • CVE-2024-23190MedApr 8, 2024
    risk 0.35cvss 5.4epss 0.01

    Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously…

  • CVE-2024-23189MedApr 8, 2024
    risk 0.35cvss 5.4epss 0.01

    Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful…

  • CVE-2014-2078MedApr 10, 2018
    risk 0.35cvss 5.3epss 0.01

    The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email addresses in opportunistic circumstances by leveraging a failure in e-mail auto configuration for external accounts.

  • CVE-2016-3173MedDec 15, 2016
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at…

  • CVE-2018-5756MedJun 16, 2018
    risk 0.31cvss 4.3epss 0.06

    The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via…

  • CVE-2016-6852MedDec 15, 2016
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on…

  • CVE-2016-4048MedDec 15, 2016
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow…

  • CVE-2016-4047MedDec 15, 2016
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As…

  • CVE-2016-4027LowDec 15, 2016
    risk 0.23cvss 3.5epss 0.01

    An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared…

Page 2 of 11