Vendor CVEs
Open-Xchange
All CVEs
256 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-33493 | 0.00 | — | 0.00 | Nov 22, 2021 | The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format. | |||
| CVE-2021-33492 | 0.00 | — | 0.01 | Nov 22, 2021 | OX App Suite 7.10.5 allows XSS via an OX Chat room name. | |||
| CVE-2021-33491 | 0.00 | — | 0.02 | Nov 22, 2021 | OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records. | |||
| CVE-2021-33490 | 0.00 | — | 0.01 | Nov 22, 2021 | OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature. | |||
| CVE-2021-26699 | 0.00 | — | 0.02 | Jul 22, 2021 | OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used. | |||
| CVE-2021-37403 | 0.00 | — | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used. | |||
| CVE-2021-37402 | 0.00 | — | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled. | |||
| CVE-2021-26698 | 0.00 | — | 0.01 | Jul 22, 2021 | OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used. | |||
| CVE-2020-28945 | 0.00 | — | 0.01 | May 3, 2021 | OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the App Suite UI on a smartphone. | |||
| CVE-2021-31935 | 0.00 | — | 0.01 | Apr 30, 2021 | OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. | |||
| CVE-2020-28944 | 0.00 | — | 0.02 | Apr 30, 2021 | OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data. | |||
| CVE-2020-28943 | 0.00 | — | 0.01 | Apr 30, 2021 | OX App Suite 7.10.4 and earlier allows SSRF via a snippet. | |||
| CVE-2021-23927 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. | |||
| CVE-2021-23928 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. | |||
| CVE-2021-23929 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI. | |||
| CVE-2021-23930 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. | |||
| CVE-2021-23932 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. | |||
| CVE-2021-23933 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. | |||
| CVE-2021-23934 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. | |||
| CVE-2021-23935 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. | |||
| CVE-2021-23936 | 0.00 | — | 0.01 | Jan 12, 2021 | OX App Suite through 7.10.4 allows XSS via the subject of a task. | |||
| CVE-2020-15003 | 0.00 | — | 0.01 | Oct 23, 2020 | OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access). | |||
| CVE-2020-12646 | 0.00 | — | 0.01 | Aug 31, 2020 | OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document. | |||
| CVE-2020-12645 | 0.00 | — | 0.01 | Aug 31, 2020 | OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption. | |||
| CVE-2020-12644 | 0.00 | — | 0.01 | Aug 31, 2020 | OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API. | |||
| CVE-2020-12643 | 0.00 | — | 0.01 | Aug 31, 2020 | OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | |||
| CVE-2020-8544 | 0.00 | — | 0.01 | Jun 16, 2020 | OX App Suite through 7.10.3 allows SSRF. | |||
| CVE-2020-8541 | 0.00 | — | 0.01 | Jun 16, 2020 | OX App Suite through 7.10.3 allows XXE attacks. | |||
| CVE-2020-8542 | 0.00 | — | 0.01 | Jun 16, 2020 | OX App Suite through 7.10.3 allows XSS. | |||
| CVE-2020-8543 | 0.00 | — | 0.02 | Jun 16, 2020 | OX App Suite through 7.10.3 has Improper Input Validation. | |||
| CVE-2020-9426 | 0.00 | — | 0.01 | Jun 15, 2020 | OX Guard 2.10.3 and earlier allows XSS. | |||
| CVE-2020-9427 | 0.00 | — | 0.01 | Jun 15, 2020 | OX Guard 2.10.3 and earlier allows SSRF. | |||
| CVE-2019-18846 | 0.00 | — | 0.01 | Feb 21, 2020 | OX App Suite through 7.10.2 allows SSRF. | |||
| CVE-2014-5238 | 0.00 | — | 0.02 | Jan 14, 2020 | XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document. | |||
| CVE-2019-16716 | 0.00 | — | 0.02 | Jan 6, 2020 | OX App Suite through 7.10.2 has Incorrect Access Control. | |||
| CVE-2019-16717 | 0.00 | — | 0.02 | Jan 6, 2020 | OX App Suite through 7.10.2 has XSS. | |||
| CVE-2013-6242 | 0.00 | — | 0.02 | Jan 2, 2020 | Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the… | |||
| CVE-2013-7486 | 0.00 | — | 0.02 | Jan 2, 2020 | Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from… | |||
| CVE-2013-7485 | 0.00 | — | 0.02 | Jan 2, 2020 | Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message.… | |||
| CVE-2019-14225 | 0.00 | — | 0.01 | Oct 14, 2019 | OX App Suite 7.10.1 and 7.10.2 allows SSRF. | |||
| CVE-2019-11806 | 0.00 | — | 0.00 | Aug 20, 2019 | OX App Suite 7.10.1 and earlier has Insecure Permissions. | |||
| CVE-2019-11522 | 0.00 | — | 0.01 | Aug 20, 2019 | OX App Suite 7.10.0 to 7.10.2 allows XSS. | |||
| CVE-2019-11521 | 0.00 | — | 0.02 | Aug 20, 2019 | OX App Suite 7.10.1 allows Content Spoofing. | |||
| CVE-2018-10986 | 0.00 | — | 0.00 | Jul 3, 2019 | OX Guard 2.8.0 has CSRF. | |||
| CVE-2019-7159 | 0.00 | — | 0.02 | Jun 18, 2019 | OX App Suite 7.10.1 and earlier allows Information Exposure. | |||
| CVE-2019-7158 | 0.00 | — | 0.02 | Jun 17, 2019 | OX App Suite 7.10.0 and earlier has Incorrect Access Control. | |||
| CVE-2017-13667 | 0.00 | — | 0.01 | May 23, 2019 | OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. | |||
| CVE-2017-13668 | 0.00 | — | 0.01 | May 23, 2019 | OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS). | |||
| CVE-2017-15029 | 0.00 | — | 0.01 | May 23, 2019 | Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. |
- CVE-2021-33493Nov 22, 2021risk 0.00cvss —epss 0.00
The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.
- CVE-2021-33492Nov 22, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.5 allows XSS via an OX Chat room name.
- CVE-2021-33491Nov 22, 2021risk 0.00cvss —epss 0.02
OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS records.
- CVE-2021-33490Nov 22, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature.
- CVE-2021-26699Jul 22, 2021risk 0.00cvss —epss 0.02
OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.
- CVE-2021-37403Jul 22, 2021risk 0.00cvss —epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.
- CVE-2021-37402Jul 22, 2021risk 0.00cvss —epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.
- CVE-2021-26698Jul 22, 2021risk 0.00cvss —epss 0.01
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.
- CVE-2020-28945May 3, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the App Suite UI on a smartphone.
- CVE-2021-31935Apr 30, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
- CVE-2020-28944Apr 30, 2021risk 0.00cvss —epss 0.02
OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data.
- CVE-2020-28943Apr 30, 2021risk 0.00cvss —epss 0.01
OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
- CVE-2021-23927Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
- CVE-2021-23928Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
- CVE-2021-23929Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI.
- CVE-2021-23930Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
- CVE-2021-23932Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename.
- CVE-2021-23933Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.
- CVE-2021-23934Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
- CVE-2021-23935Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.
- CVE-2021-23936Jan 12, 2021risk 0.00cvss —epss 0.01
OX App Suite through 7.10.4 allows XSS via the subject of a task.
- CVE-2020-15003Oct 23, 2020risk 0.00cvss —epss 0.01
OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access).
- CVE-2020-12646Aug 31, 2020risk 0.00cvss —epss 0.01
OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.
- CVE-2020-12645Aug 31, 2020risk 0.00cvss —epss 0.01
OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.
- CVE-2020-12644Aug 31, 2020risk 0.00cvss —epss 0.01
OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.
- CVE-2020-12643Aug 31, 2020risk 0.00cvss —epss 0.01
OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.
- CVE-2020-8544Jun 16, 2020risk 0.00cvss —epss 0.01
OX App Suite through 7.10.3 allows SSRF.
- CVE-2020-8541Jun 16, 2020risk 0.00cvss —epss 0.01
OX App Suite through 7.10.3 allows XXE attacks.
- CVE-2020-8542Jun 16, 2020risk 0.00cvss —epss 0.01
OX App Suite through 7.10.3 allows XSS.
- CVE-2020-8543Jun 16, 2020risk 0.00cvss —epss 0.02
OX App Suite through 7.10.3 has Improper Input Validation.
- CVE-2020-9426Jun 15, 2020risk 0.00cvss —epss 0.01
OX Guard 2.10.3 and earlier allows XSS.
- CVE-2020-9427Jun 15, 2020risk 0.00cvss —epss 0.01
OX Guard 2.10.3 and earlier allows SSRF.
- CVE-2019-18846Feb 21, 2020risk 0.00cvss —epss 0.01
OX App Suite through 7.10.2 allows SSRF.
- CVE-2014-5238Jan 14, 2020risk 0.00cvss —epss 0.02
XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document.
- CVE-2019-16716Jan 6, 2020risk 0.00cvss —epss 0.02
OX App Suite through 7.10.2 has Incorrect Access Control.
- CVE-2019-16717Jan 6, 2020risk 0.00cvss —epss 0.02
OX App Suite through 7.10.2 has XSS.
- CVE-2013-6242Jan 2, 2020risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the…
- CVE-2013-7486Jan 2, 2020risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from…
- CVE-2013-7485Jan 2, 2020risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message.…
- CVE-2019-14225Oct 14, 2019risk 0.00cvss —epss 0.01
OX App Suite 7.10.1 and 7.10.2 allows SSRF.
- CVE-2019-11806Aug 20, 2019risk 0.00cvss —epss 0.00
OX App Suite 7.10.1 and earlier has Insecure Permissions.
- CVE-2019-11522Aug 20, 2019risk 0.00cvss —epss 0.01
OX App Suite 7.10.0 to 7.10.2 allows XSS.
- CVE-2019-11521Aug 20, 2019risk 0.00cvss —epss 0.02
OX App Suite 7.10.1 allows Content Spoofing.
- CVE-2018-10986Jul 3, 2019risk 0.00cvss —epss 0.00
OX Guard 2.8.0 has CSRF.
- CVE-2019-7159Jun 18, 2019risk 0.00cvss —epss 0.02
OX App Suite 7.10.1 and earlier allows Information Exposure.
- CVE-2019-7158Jun 17, 2019risk 0.00cvss —epss 0.02
OX App Suite 7.10.0 and earlier has Incorrect Access Control.
- CVE-2017-13667May 23, 2019risk 0.00cvss —epss 0.01
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
- CVE-2017-13668May 23, 2019risk 0.00cvss —epss 0.01
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).
- CVE-2017-15029May 23, 2019risk 0.00cvss —epss 0.01
Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
Page 4 of 6