ReportizFlow
Filtered by vendor Open-xchange
Subscriptions
Total
262 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4367 | 4 Debian, Mozilla, Open-xchange and 1 more | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2025-04-24 | 5.6 Medium |
| A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. | ||||
| CVE-2016-6846 | 1 Open-xchange | 4 Documentconverter-api, Office Web, Open-xchange Appsuite Backend and 1 more | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML. | ||||
| CVE-2015-1588 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21. | ||||
| CVE-2023-29049 | 1 Open-xchange | 1 Ox App Suite | 2025-04-17 | 5.4 Medium |
| The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known. | ||||
| CVE-2022-29853 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.4 Medium |
| OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. | ||||
| CVE-2022-29852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.4 Medium |
| OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. | ||||
| CVE-2022-37313 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | ||||
| CVE-2022-37312 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | ||||
| CVE-2022-37311 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | ||||
| CVE-2022-37310 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | ||||
| CVE-2022-37309 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. | ||||
| CVE-2022-37308 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | ||||
| CVE-2022-37307 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | ||||
| CVE-2022-31469 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. | ||||
| CVE-2014-8993 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type. | ||||
| CVE-2016-4026 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Attackers can use this issue for filter evasion to inject script code later on. | ||||
| CVE-2016-6848 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution. | ||||
| CVE-2016-5740 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-6853 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-6852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. | ||||