ReportizFlow
Filtered by vendor Open-xchange
Subscriptions
Filtered by product Open-xchange Appsuite
Subscriptions
Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41708 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-05-06 | 5.4 Medium |
| References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available exploits are known. | ||||
| CVE-2015-1588 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21. | ||||
| CVE-2022-29853 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.4 Medium |
| OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. | ||||
| CVE-2022-29852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.4 Medium |
| OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. | ||||
| CVE-2022-37313 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | ||||
| CVE-2022-37312 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | ||||
| CVE-2022-37311 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | ||||
| CVE-2022-37310 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | ||||
| CVE-2022-37309 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. | ||||
| CVE-2022-37308 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | ||||
| CVE-2022-37307 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | ||||
| CVE-2022-31469 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. | ||||
| CVE-2016-6850 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2014-2391 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request. | ||||
| CVE-2016-6844 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-4047 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. | ||||
| CVE-2014-8993 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type. | ||||
| CVE-2016-6848 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution. | ||||
| CVE-2016-6847 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2014-5234 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name. | ||||