Appsuite
by Open-Xchange
CVEs (218)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-33494 | 0.00 | — | 0.01 | Nov 22, 2021 | OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. | |||
| CVE-2021-33493 | 0.00 | — | 0.00 | Nov 22, 2021 | The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format. | |||
| CVE-2021-33492 | 0.00 | — | 0.01 | Nov 22, 2021 | OX App Suite 7.10.5 allows XSS via an OX Chat room name. | |||
| CVE-2021-33491 | 0.00 | — | 0.02 | Nov 22, 2021 | OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records. | |||
| CVE-2021-33490 | 0.00 | — | 0.01 | Nov 22, 2021 | OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature. | |||
| CVE-2021-26699 | 0.00 | — | 0.02 | Jul 22, 2021 | OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used. | |||
| CVE-2021-37403 | 0.00 | — | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used. | |||
| CVE-2021-37402 | 0.00 | — | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled. | |||
| CVE-2021-26698 | 0.00 | — | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used. | |||
| CVE-2020-28945 | 0.00 | — | 0.01 | May 3, 2021 | OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the App Suite UI on a smartphone. | |||
| CVE-2021-31935 | 0.00 | — | 0.01 | Apr 30, 2021 | OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. | |||
| CVE-2020-28943 | 0.00 | — | 0.01 | Apr 30, 2021 | OX App Suite 7.10.4 and earlier allows SSRF via a snippet. | |||
| CVE-2021-23927 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. | |||
| CVE-2021-23928 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. | |||
| CVE-2021-23929 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI. | |||
| CVE-2021-23930 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. | |||
| CVE-2021-23932 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. | |||
| CVE-2021-23933 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. | |||
| CVE-2021-23934 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. |
- CVE-2021-33494Nov 22, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering.
- CVE-2021-33493Nov 22, 2021risk 0.00cvss —epss 0.00
The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.
- CVE-2021-33492Nov 22, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.5 allows XSS via an OX Chat room name.
- CVE-2021-33491Nov 22, 2021risk 0.00cvss —epss 0.02
OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records.
- CVE-2021-33490Nov 22, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature.
- CVE-2021-26699Jul 22, 2021risk 0.00cvss —epss 0.02
OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.
- CVE-2021-37403Jul 22, 2021risk 0.00cvss —epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.
- CVE-2021-37402Jul 22, 2021risk 0.00cvss —epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.
- CVE-2021-26698Jul 22, 2021risk 0.00cvss —epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.
- CVE-2020-28945May 3, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the App Suite UI on a smartphone.
- CVE-2021-31935Apr 30, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
- CVE-2020-28943Apr 30, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
- CVE-2021-23927Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
- CVE-2021-23928Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
- CVE-2021-23929Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI.
- CVE-2021-23930Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
- CVE-2021-23932Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.
- CVE-2021-23933Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.
- CVE-2021-23934Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
Page 7 of 11