Ox Appsuite

Source repositories

https://github.com/open-xchange/appsuite-frontend

CVEs (177)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2016-3174	Open-Xchange Appsuite	Hig	0.48	7.4	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a…
CVE-2016-5740	Open-Xchange Ox Appsuite	Med	0.43	6.1	0.01	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the…
CVE-2024-23188	Open-Xchange Ox Appsuite	Med	0.42	6.5	0.00	May 6, 2024	Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information…
CVE-2024-23192	Open-Xchange Ox Appsuite	Med	0.40	6.1	0.00	Apr 8, 2024	RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from…
CVE-2016-6850	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image…
CVE-2016-6847	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a…
CVE-2016-6845	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead…
CVE-2016-6844	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references.…
CVE-2016-6843	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most…
CVE-2016-6842	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code…
CVE-2016-5124	Open-Xchange Ox Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image…
CVE-2016-4045	Open-Xchange Ox Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script…
CVE-2016-4026	Open-Xchange Appsuite	Med	0.40	6.1	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content.…
CVE-2016-2840	Open-Xchange Appsuite	Med	0.40	6.1	0.01	Dec 15, 2016	An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted…
CVE-2016-4046	Open-Xchange Appsuite	Med	0.38	5.8	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending…
CVE-2016-6848	Open-Xchange Appsuite	Med	0.36	5.5	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a…
CVE-2024-23190	Open-Xchange Ox Appsuite	Med	0.35	5.4	0.00	Apr 8, 2024	Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously…
CVE-2024-23189	Open-Xchange Ox Appsuite	Med	0.35	5.4	0.00	Apr 8, 2024	Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful…
CVE-2016-3173	Open-Xchange Appsuite	Med	0.35	5.4	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at…
CVE-2016-6852	Open-Xchange Appsuite	Med	0.28	4.3	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on…

CVE-2016-3174HigDec 15, 2016
Open-Xchange
Appsuite
risk 0.48cvss 7.4epss 0.00
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a…
CVE-2016-5740MedDec 15, 2016
Open-Xchange
Ox Appsuite
risk 0.43cvss 6.1epss 0.01
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the…
CVE-2024-23188MedMay 6, 2024
Open-Xchange
Ox Appsuite
risk 0.42cvss 6.5epss 0.00
Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information…
CVE-2024-23192MedApr 8, 2024
Open-Xchange
Ox Appsuite
risk 0.40cvss 6.1epss 0.00
RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from…
CVE-2016-6850MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image…
CVE-2016-6847MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a…
CVE-2016-6845MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead…
CVE-2016-6844MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references.…
CVE-2016-6843MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most…
CVE-2016-6842MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code…
CVE-2016-5124MedDec 15, 2016
Open-Xchange
Ox Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image…
CVE-2016-4045MedDec 15, 2016
Open-Xchange
Ox Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script…
CVE-2016-4026MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content.…
CVE-2016-2840MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.40cvss 6.1epss 0.01
An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted…
CVE-2016-4046MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.38cvss 5.8epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending…
CVE-2016-6848MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.36cvss 5.5epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a…
CVE-2024-23190MedApr 8, 2024
Open-Xchange
Ox Appsuite
risk 0.35cvss 5.4epss 0.00
Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously…
CVE-2024-23189MedApr 8, 2024
Open-Xchange
Ox Appsuite
risk 0.35cvss 5.4epss 0.00
Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful…
CVE-2016-3173MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.35cvss 5.4epss 0.00
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at…
CVE-2016-6852MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.28cvss 4.3epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on…

Page 1 of 9