Ox Appsuite
by Open-Xchange
Source repositories
CVEs (177)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-41710 | 0.00 | — | 0.00 | Jan 8, 2024 | User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added… | |||
| CVE-2023-29051 | 0.00 | — | 0.00 | Jan 8, 2024 | User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects… | |||
| CVE-2023-29050 | 0.00 | — | 0.00 | Jan 8, 2024 | The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load… | |||
| CVE-2023-29049 | 0.00 | — | 0.00 | Jan 8, 2024 | The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a… | |||
| CVE-2023-29048 | 0.00 | — | 0.00 | Jan 8, 2024 | A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and… | |||
| CVE-2023-29047 | 0.00 | — | 0.00 | Nov 2, 2023 | Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content… | |||
| CVE-2023-29046 | 0.00 | — | 0.00 | Nov 2, 2023 | Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an… | |||
| CVE-2023-29044 | 0.00 | — | 0.00 | Nov 2, 2023 | Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating… | |||
| CVE-2023-29043 | 0.00 | — | 0.00 | Nov 2, 2023 | Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when… | |||
| CVE-2023-26455 | 0.00 | — | 0.00 | Nov 2, 2023 | RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated… | |||
| CVE-2023-26453 | 0.00 | — | 0.00 | Nov 2, 2023 | Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL… | |||
| CVE-2023-26452 | 0.00 | — | 0.00 | Nov 2, 2023 | Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by… | |||
| CVE-2023-26450 | 0.00 | — | 0.00 | Aug 2, 2023 | The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit… | |||
| CVE-2023-26448 | 0.00 | — | 0.00 | Aug 2, 2023 | Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface… | |||
| CVE-2023-26446 | 0.00 | — | 0.00 | Aug 2, 2023 | The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit… | |||
| CVE-2023-26445 | 0.00 | — | 0.00 | Aug 2, 2023 | Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the… | |||
| CVE-2023-26442 | 0.00 | — | 0.00 | Aug 2, 2023 | In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control… | |||
| CVE-2023-26441 | 0.00 | — | 0.00 | Aug 2, 2023 | Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are… | |||
| CVE-2023-26440 | 0.00 | — | 0.00 | Aug 2, 2023 | The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have… | |||
| CVE-2023-26439 | 0.00 | — | 0.00 | Aug 2, 2023 | The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users… |
- CVE-2023-41710Jan 8, 2024risk 0.00cvss —epss 0.00
User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added…
- CVE-2023-29051Jan 8, 2024risk 0.00cvss —epss 0.00
User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects…
- CVE-2023-29050Jan 8, 2024risk 0.00cvss —epss 0.00
The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load…
- CVE-2023-29049Jan 8, 2024risk 0.00cvss —epss 0.00
The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a…
- CVE-2023-29048Jan 8, 2024risk 0.00cvss —epss 0.00
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and…
- CVE-2023-29047Nov 2, 2023risk 0.00cvss —epss 0.00
Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content…
- CVE-2023-29046Nov 2, 2023risk 0.00cvss —epss 0.00
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an…
- CVE-2023-29044Nov 2, 2023risk 0.00cvss —epss 0.00
Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating…
- CVE-2023-29043Nov 2, 2023risk 0.00cvss —epss 0.00
Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when…
- CVE-2023-26455Nov 2, 2023risk 0.00cvss —epss 0.00
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated…
- CVE-2023-26453Nov 2, 2023risk 0.00cvss —epss 0.00
Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL…
- CVE-2023-26452Nov 2, 2023risk 0.00cvss —epss 0.00
Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by…
- CVE-2023-26450Aug 2, 2023risk 0.00cvss —epss 0.00
The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit…
- CVE-2023-26448Aug 2, 2023risk 0.00cvss —epss 0.00
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface…
- CVE-2023-26446Aug 2, 2023risk 0.00cvss —epss 0.00
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit…
- CVE-2023-26445Aug 2, 2023risk 0.00cvss —epss 0.00
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the…
- CVE-2023-26442Aug 2, 2023risk 0.00cvss —epss 0.00
In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control…
- CVE-2023-26441Aug 2, 2023risk 0.00cvss —epss 0.00
Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are…
- CVE-2023-26440Aug 2, 2023risk 0.00cvss —epss 0.00
The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have…
- CVE-2023-26439Aug 2, 2023risk 0.00cvss —epss 0.00
The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users…
Page 3 of 9