Vendor CVEs
Open-Xchange
All CVEs
256 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-6852 | Med | 0.28 | 4.3 | 0.01 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on… | ||
| CVE-2016-4048 | Med | 0.28 | 4.3 | 0.01 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow… | ||
| CVE-2016-4047 | Med | 0.28 | 4.3 | 0.01 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As… | ||
| CVE-2026-27859 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages,… | ||
| CVE-2026-0394 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading… | ||
| CVE-2025-59028 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in… | ||
| CVE-2016-4027 | Low | 0.23 | 3.5 | 0.01 | Dec 15, 2016 | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared… | ||
| CVE-2026-27857 | Med | 0.21 | 4.3 | 0.01 | Mar 27, 2026 | Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect… | ||
| CVE-2025-59031 | Med | 0.21 | 4.3 | 0.00 | Mar 27, 2026 | Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not… | ||
| CVE-2026-40020 | Low | 0.20 | 3.1 | 0.00 | May 12, 2026 | Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is… | ||
| CVE-2026-27860 | Low | 0.17 | 3.7 | 0.00 | Mar 27, 2026 | If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly… | ||
| CVE-2013-1651 | 0.03 | — | 0.01 | Sep 5, 2013 | OXUpdater in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof update servers and install arbitrary software via a crafted certificate. | |||
| CVE-2013-1650 | 0.03 | — | 0.01 | Sep 5, 2013 | Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses weak permissions (group "other" readable) under opt/open-xchange/etc/, which allows local users to obtain sensitive information via standard filesystem operations. | |||
| CVE-2013-1649 | 0.03 | — | 0.02 | Sep 5, 2013 | Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses the crypt and SHA-1 algorithms for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. | |||
| CVE-2013-1648 | 0.03 | — | 0.01 | Sep 5, 2013 | The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not properly validate the publication-source URL, which allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field,… | |||
| CVE-2013-1647 | 0.03 | — | 0.02 | Sep 5, 2013 | Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1)… | |||
| CVE-2013-1646 | 0.03 | — | 0.01 | Sep 5, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary web script or HTML via (1) invalid JSON data in a mail-sending POST request, (2) an arbitrary… | |||
| CVE-2013-1645 | 0.03 | — | 0.03 | Sep 5, 2013 | Directory traversal vulnerability in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the publication template path. | |||
| CVE-2020-24701 | 0.02 | — | 0.07 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI). | |||
| CVE-2022-24405 | 0.01 | — | 0.03 | Jul 27, 2022 | OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. | |||
| CVE-2022-23100 | 0.01 | — | 0.03 | Jul 27, 2022 | OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). | |||
| CVE-2020-15004 | 0.01 | — | 0.03 | Oct 23, 2020 | OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. | |||
| CVE-2020-15002 | 0.01 | — | 0.02 | Oct 23, 2020 | OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API. | |||
| CVE-2014-5236 | 0.01 | — | 0.04 | Jan 31, 2020 | Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument… | |||
| CVE-2023-41707 | 0.00 | — | 0.01 | Feb 12, 2024 | Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related… | |||
| CVE-2023-41706 | 0.00 | — | 0.01 | Feb 12, 2024 | Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing… | |||
| CVE-2023-41705 | 0.00 | — | 0.01 | Feb 12, 2024 | Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is… | |||
| CVE-2023-41704 | 0.00 | — | 0.01 | Feb 12, 2024 | Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing… | |||
| CVE-2023-41703 | 0.00 | — | 0.01 | Feb 12, 2024 | User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are… | |||
| CVE-2023-41710 | 0.00 | — | 0.00 | Jan 8, 2024 | User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added… | |||
| CVE-2023-29051 | 0.00 | — | 0.01 | Jan 8, 2024 | User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects… | |||
| CVE-2023-29050 | 0.00 | — | 0.02 | Jan 8, 2024 | The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load… | |||
| CVE-2023-29049 | 0.00 | — | 0.01 | Jan 8, 2024 | The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a… | |||
| CVE-2023-29048 | 0.00 | — | 0.01 | Jan 8, 2024 | A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and… | |||
| CVE-2023-29047 | 0.00 | — | 0.00 | Nov 2, 2023 | Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content… | |||
| CVE-2023-29046 | 0.00 | — | 0.00 | Nov 2, 2023 | Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an… | |||
| CVE-2023-29044 | 0.00 | — | 0.00 | Nov 2, 2023 | Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating… | |||
| CVE-2023-29043 | 0.00 | — | 0.00 | Nov 2, 2023 | Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when… | |||
| CVE-2023-26456 | 0.00 | — | 0.00 | Nov 2, 2023 | Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to… | |||
| CVE-2023-26455 | 0.00 | — | 0.00 | Nov 2, 2023 | RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated… | |||
| CVE-2023-26453 | 0.00 | — | 0.00 | Nov 2, 2023 | Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL… | |||
| CVE-2023-26452 | 0.00 | — | 0.00 | Nov 2, 2023 | Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by… | |||
| CVE-2023-26450 | 0.00 | — | 0.01 | Aug 2, 2023 | The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit… | |||
| CVE-2023-26449 | 0.00 | — | 0.01 | Aug 2, 2023 | The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit… | |||
| CVE-2023-26448 | 0.00 | — | 0.01 | Aug 2, 2023 | Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface… | |||
| CVE-2023-26446 | 0.00 | — | 0.01 | Aug 2, 2023 | The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit… | |||
| CVE-2023-26445 | 0.00 | — | 0.01 | Aug 2, 2023 | Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the… | |||
| CVE-2023-26442 | 0.00 | — | 0.00 | Aug 2, 2023 | In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control… | |||
| CVE-2023-26441 | 0.00 | — | 0.00 | Aug 2, 2023 | Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are… | |||
| CVE-2023-26440 | 0.00 | — | 0.00 | Aug 2, 2023 | The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have… |
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on…
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow…
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As…
- risk 0.27cvss 5.3epss 0.00
A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages,…
- risk 0.27cvss 5.3epss 0.00
When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading…
- risk 0.27cvss 5.3epss 0.00
When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in…
- risk 0.23cvss 3.5epss 0.01
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared…
- risk 0.21cvss 4.3epss 0.01
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect…
- risk 0.21cvss 4.3epss 0.00
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not…
- risk 0.20cvss 3.1epss 0.00
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is…
- risk 0.17cvss 3.7epss 0.00
If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly…
- CVE-2013-1651Sep 5, 2013risk 0.03cvss —epss 0.01
OXUpdater in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof update servers and install arbitrary software via a crafted certificate.
- CVE-2013-1650Sep 5, 2013risk 0.03cvss —epss 0.01
Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses weak permissions (group "other" readable) under opt/open-xchange/etc/, which allows local users to obtain sensitive information via standard filesystem operations.
- CVE-2013-1649Sep 5, 2013risk 0.03cvss —epss 0.02
Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses the crypt and SHA-1 algorithms for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.
- CVE-2013-1648Sep 5, 2013risk 0.03cvss —epss 0.01
The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not properly validate the publication-source URL, which allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field,…
- CVE-2013-1647Sep 5, 2013risk 0.03cvss —epss 0.02
Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1)…
- CVE-2013-1646Sep 5, 2013risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary web script or HTML via (1) invalid JSON data in a mail-sending POST request, (2) an arbitrary…
- CVE-2013-1645Sep 5, 2013risk 0.03cvss —epss 0.03
Directory traversal vulnerability in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the publication template path.
- CVE-2020-24701Jan 12, 2021risk 0.02cvss —epss 0.07
OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).
- CVE-2022-24405Jul 27, 2022risk 0.01cvss —epss 0.03
OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.
- CVE-2022-23100Jul 27, 2022risk 0.01cvss —epss 0.03
OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).
- CVE-2020-15004Oct 23, 2020risk 0.01cvss —epss 0.03
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.
- CVE-2020-15002Oct 23, 2020risk 0.01cvss —epss 0.02
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
- CVE-2014-5236Jan 31, 2020risk 0.01cvss —epss 0.04
Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument…
- CVE-2023-41707Feb 12, 2024risk 0.00cvss —epss 0.01
Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related…
- CVE-2023-41706Feb 12, 2024risk 0.00cvss —epss 0.01
Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing…
- CVE-2023-41705Feb 12, 2024risk 0.00cvss —epss 0.01
Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is…
- CVE-2023-41704Feb 12, 2024risk 0.00cvss —epss 0.01
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing…
- CVE-2023-41703Feb 12, 2024risk 0.00cvss —epss 0.01
User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are…
- CVE-2023-41710Jan 8, 2024risk 0.00cvss —epss 0.00
User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added…
- CVE-2023-29051Jan 8, 2024risk 0.00cvss —epss 0.01
User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects…
- CVE-2023-29050Jan 8, 2024risk 0.00cvss —epss 0.02
The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load…
- CVE-2023-29049Jan 8, 2024risk 0.00cvss —epss 0.01
The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a…
- CVE-2023-29048Jan 8, 2024risk 0.00cvss —epss 0.01
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and…
- CVE-2023-29047Nov 2, 2023risk 0.00cvss —epss 0.00
Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content…
- CVE-2023-29046Nov 2, 2023risk 0.00cvss —epss 0.00
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an…
- CVE-2023-29044Nov 2, 2023risk 0.00cvss —epss 0.00
Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating…
- CVE-2023-29043Nov 2, 2023risk 0.00cvss —epss 0.00
Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when…
- CVE-2023-26456Nov 2, 2023risk 0.00cvss —epss 0.00
Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to…
- CVE-2023-26455Nov 2, 2023risk 0.00cvss —epss 0.00
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated…
- CVE-2023-26453Nov 2, 2023risk 0.00cvss —epss 0.00
Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL…
- CVE-2023-26452Nov 2, 2023risk 0.00cvss —epss 0.00
Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by…
- CVE-2023-26450Aug 2, 2023risk 0.00cvss —epss 0.01
The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit…
- CVE-2023-26449Aug 2, 2023risk 0.00cvss —epss 0.01
The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit…
- CVE-2023-26448Aug 2, 2023risk 0.00cvss —epss 0.01
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface…
- CVE-2023-26446Aug 2, 2023risk 0.00cvss —epss 0.01
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit…
- CVE-2023-26445Aug 2, 2023risk 0.00cvss —epss 0.01
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the…
- CVE-2023-26442Aug 2, 2023risk 0.00cvss —epss 0.00
In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control…
- CVE-2023-26441Aug 2, 2023risk 0.00cvss —epss 0.00
Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are…
- CVE-2023-26440Aug 2, 2023risk 0.00cvss —epss 0.00
The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have…
Page 2 of 6