VYPR

Appsuite

by Open-Xchange

CVEs (218)

  • CVE-2023-26428Jun 20, 2023
    risk 0.00cvss epss 0.01

    Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not…

  • CVE-2023-24605May 29, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens.

  • CVE-2023-24602May 29, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title.

  • CVE-2023-24598May 29, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user.

  • CVE-2023-24600May 29, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book.

  • CVE-2023-24599May 29, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion."

  • CVE-2023-24603May 29, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data.

  • CVE-2023-24597May 29, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing.

  • CVE-2023-24604May 29, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data.

  • CVE-2023-24601May 29, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

  • CVE-2022-37306Apr 16, 2023
    risk 0.00cvss epss 0.01

    OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.

  • CVE-2022-43699Apr 15, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address).

  • CVE-2022-43696Apr 15, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

  • CVE-2022-43698Apr 15, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list.

  • CVE-2022-43697Apr 15, 2023
    risk 0.00cvss epss 0.00

    OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob.

  • CVE-2022-37313Dec 26, 2022
    risk 0.00cvss epss 0.01

    OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.

  • CVE-2022-37310Dec 26, 2022
    risk 0.00cvss epss 0.01

    OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.

  • CVE-2022-37311Dec 26, 2022
    risk 0.00cvss epss 0.01

    OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.

  • CVE-2022-37308Dec 26, 2022
    risk 0.00cvss epss 0.01

    OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.

  • CVE-2022-29853Dec 26, 2022
    risk 0.00cvss epss 0.00

    OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.

Page 5 of 11