Appsuite
by Open-Xchange
CVEs (218)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-26428 | 0.00 | — | 0.01 | Jun 20, 2023 | Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not… | |||
| CVE-2023-24605 | 0.00 | — | 0.00 | May 29, 2023 | OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | |||
| CVE-2023-24602 | 0.00 | — | 0.00 | May 29, 2023 | OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | |||
| CVE-2023-24598 | 0.00 | — | 0.01 | May 29, 2023 | OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. | |||
| CVE-2023-24600 | 0.00 | — | 0.01 | May 29, 2023 | OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. | |||
| CVE-2023-24599 | 0.00 | — | 0.01 | May 29, 2023 | OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion." | |||
| CVE-2023-24603 | 0.00 | — | 0.01 | May 29, 2023 | OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data. | |||
| CVE-2023-24597 | 0.00 | — | 0.01 | May 29, 2023 | OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. | |||
| CVE-2023-24604 | 0.00 | — | 0.01 | May 29, 2023 | OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. | |||
| CVE-2023-24601 | 0.00 | — | 0.00 | May 29, 2023 | OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | |||
| CVE-2022-37306 | 0.00 | — | 0.01 | Apr 16, 2023 | OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger. | |||
| CVE-2022-43699 | 0.00 | — | 0.00 | Apr 15, 2023 | OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address). | |||
| CVE-2022-43696 | 0.00 | — | 0.00 | Apr 15, 2023 | OX App Suite before 7.10.6-rev20 allows XSS via upsell ads. | |||
| CVE-2022-43698 | 0.00 | — | 0.00 | Apr 15, 2023 | OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list. | |||
| CVE-2022-43697 | 0.00 | — | 0.00 | Apr 15, 2023 | OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob. | |||
| CVE-2022-37313 | 0.00 | — | 0.01 | Dec 26, 2022 | OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | |||
| CVE-2022-37310 | 0.00 | — | 0.01 | Dec 26, 2022 | OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | |||
| CVE-2022-37311 | 0.00 | — | 0.01 | Dec 26, 2022 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | |||
| CVE-2022-37308 | 0.00 | — | 0.01 | Dec 26, 2022 | OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | |||
| CVE-2022-29853 | 0.00 | — | 0.00 | Dec 26, 2022 | OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. |
- CVE-2023-26428Jun 20, 2023risk 0.00cvss —epss 0.01
Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not…
- CVE-2023-24605May 29, 2023risk 0.00cvss —epss 0.00
OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens.
- CVE-2023-24602May 29, 2023risk 0.00cvss —epss 0.00
OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title.
- CVE-2023-24598May 29, 2023risk 0.00cvss —epss 0.01
OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user.
- CVE-2023-24600May 29, 2023risk 0.00cvss —epss 0.01
OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book.
- CVE-2023-24599May 29, 2023risk 0.00cvss —epss 0.01
OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion."
- CVE-2023-24603May 29, 2023risk 0.00cvss —epss 0.01
OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data.
- CVE-2023-24597May 29, 2023risk 0.00cvss —epss 0.01
OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing.
- CVE-2023-24604May 29, 2023risk 0.00cvss —epss 0.01
OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data.
- CVE-2023-24601May 29, 2023risk 0.00cvss —epss 0.00
OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.
- CVE-2022-37306Apr 16, 2023risk 0.00cvss —epss 0.01
OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.
- CVE-2022-43699Apr 15, 2023risk 0.00cvss —epss 0.00
OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address).
- CVE-2022-43696Apr 15, 2023risk 0.00cvss —epss 0.00
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.
- CVE-2022-43698Apr 15, 2023risk 0.00cvss —epss 0.00
OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list.
- CVE-2022-43697Apr 15, 2023risk 0.00cvss —epss 0.00
OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob.
- CVE-2022-37313Dec 26, 2022risk 0.00cvss —epss 0.01
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
- CVE-2022-37310Dec 26, 2022risk 0.00cvss —epss 0.01
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
- CVE-2022-37311Dec 26, 2022risk 0.00cvss —epss 0.01
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.
- CVE-2022-37308Dec 26, 2022risk 0.00cvss —epss 0.01
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.
- CVE-2022-29853Dec 26, 2022risk 0.00cvss —epss 0.00
OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.
Page 5 of 11