Ox Appsuite
by Open-Xchange
Source repositories
CVEs (177)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-4048 | Med | 0.28 | 4.3 | 0.00 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow… | ||
| CVE-2016-4047 | Med | 0.28 | 4.3 | 0.00 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As… | ||
| CVE-2016-4027 | Low | 0.23 | 3.5 | 0.00 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared… | ||
| CVE-2018-5752 | 0.03 | — | 0.02 | Jun 15, 2018 | The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations… | |||
| CVE-2018-5754 | 0.03 | — | 0.00 | Jun 15, 2018 | Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the… | |||
| CVE-2017-17062 | 0.03 | — | 0.01 | Jun 15, 2018 | The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management. | |||
| CVE-2018-5751 | 0.03 | — | 0.01 | Jun 15, 2018 | The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the… | |||
| CVE-2018-5756 | 0.03 | — | 0.01 | Jun 15, 2018 | The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via… | |||
| CVE-2018-5755 | 0.03 | — | 0.01 | Jun 15, 2018 | Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a… | |||
| CVE-2018-5753 | 0.03 | — | 0.02 | Jun 15, 2018 | The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2)… | |||
| CVE-2020-24701 | 0.02 | — | 0.27 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI). | |||
| CVE-2022-24405 | 0.01 | — | 0.08 | Jul 27, 2022 | OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. | |||
| CVE-2020-15004 | 0.01 | — | 0.09 | Oct 23, 2020 | OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. | |||
| CVE-2020-15002 | 0.01 | — | 0.09 | Oct 23, 2020 | OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API. | |||
| CVE-2014-5236 | 0.01 | — | 0.07 | Jan 31, 2020 | Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument… | |||
| CVE-2023-41707 | 0.00 | — | 0.00 | Feb 12, 2024 | Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related… | |||
| CVE-2023-41706 | 0.00 | — | 0.00 | Feb 12, 2024 | Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing… | |||
| CVE-2023-41705 | 0.00 | — | 0.00 | Feb 12, 2024 | Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is… | |||
| CVE-2023-41704 | 0.00 | — | 0.00 | Feb 12, 2024 | Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing… | |||
| CVE-2023-41703 | 0.00 | — | 0.01 | Feb 12, 2024 | User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are… |
- risk 0.28cvss 4.3epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow…
- risk 0.28cvss 4.3epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As…
- risk 0.23cvss 3.5epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared…
- CVE-2018-5752Jun 15, 2018risk 0.03cvss —epss 0.02
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations…
- CVE-2018-5754Jun 15, 2018risk 0.03cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the…
- CVE-2017-17062Jun 15, 2018risk 0.03cvss —epss 0.01
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
- CVE-2018-5751Jun 15, 2018risk 0.03cvss —epss 0.01
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the…
- CVE-2018-5756Jun 15, 2018risk 0.03cvss —epss 0.01
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via…
- CVE-2018-5755Jun 15, 2018risk 0.03cvss —epss 0.01
Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a…
- CVE-2018-5753Jun 15, 2018risk 0.03cvss —epss 0.02
The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2)…
- CVE-2020-24701Jan 12, 2021risk 0.02cvss —epss 0.27
OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).
- CVE-2022-24405Jul 27, 2022risk 0.01cvss —epss 0.08
OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.
- CVE-2020-15004Oct 23, 2020risk 0.01cvss —epss 0.09
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.
- CVE-2020-15002Oct 23, 2020risk 0.01cvss —epss 0.09
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
- CVE-2014-5236Jan 31, 2020risk 0.01cvss —epss 0.07
Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument…
- CVE-2023-41707Feb 12, 2024risk 0.00cvss —epss 0.00
Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related…
- CVE-2023-41706Feb 12, 2024risk 0.00cvss —epss 0.00
Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing…
- CVE-2023-41705Feb 12, 2024risk 0.00cvss —epss 0.00
Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is…
- CVE-2023-41704Feb 12, 2024risk 0.00cvss —epss 0.00
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing…
- CVE-2023-41703Feb 12, 2024risk 0.00cvss —epss 0.01
User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are…
Page 2 of 9