VYPR

Appsuite

by Open-Xchange

CVEs (218)

  • CVE-2013-1646Sep 5, 2013
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary web script or HTML via (1) invalid JSON data in a mail-sending POST request, (2) an arbitrary…

  • CVE-2020-24701Jan 12, 2021
    risk 0.02cvss epss 0.07

    OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

  • CVE-2022-24405Jul 27, 2022
    risk 0.01cvss epss 0.03

    OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.

  • CVE-2022-23100Jul 27, 2022
    risk 0.01cvss epss 0.03

    OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).

  • CVE-2020-15004Oct 23, 2020
    risk 0.01cvss epss 0.03

    OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.

  • CVE-2020-15002Oct 23, 2020
    risk 0.01cvss epss 0.02

    OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.

  • CVE-2014-5236Jan 31, 2020
    risk 0.01cvss epss 0.04

    Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument…

  • CVE-2023-41707Feb 12, 2024
    risk 0.00cvss epss 0.01

    Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related…

  • CVE-2023-41706Feb 12, 2024
    risk 0.00cvss epss 0.01

    Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing…

  • CVE-2023-41705Feb 12, 2024
    risk 0.00cvss epss 0.01

    Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is…

  • CVE-2023-41704Feb 12, 2024
    risk 0.00cvss epss 0.01

    Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing…

  • CVE-2023-41703Feb 12, 2024
    risk 0.00cvss epss 0.01

    User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are…

  • CVE-2023-41710Jan 8, 2024
    risk 0.00cvss epss 0.00

    User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added…

  • CVE-2023-29051Jan 8, 2024
    risk 0.00cvss epss 0.01

    User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects…

  • CVE-2023-29050Jan 8, 2024
    risk 0.00cvss epss 0.02

    The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load…

  • CVE-2023-29049Jan 8, 2024
    risk 0.00cvss epss 0.01

    The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a…

  • CVE-2023-29048Jan 8, 2024
    risk 0.00cvss epss 0.01

    A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and…

  • CVE-2023-29047Nov 2, 2023
    risk 0.00cvss epss 0.00

    Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content…

  • CVE-2023-29046Nov 2, 2023
    risk 0.00cvss epss 0.00

    Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an…

  • CVE-2023-29044Nov 2, 2023
    risk 0.00cvss epss 0.00

    Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating…

Page 3 of 11