cbcvebase.

Open-Xchange Appsuite vulnerabilities

146 known vulnerabilities affecting open-xchange/open-xchange_appsuite.

Total CVEs
146
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH17MEDIUM117LOW5

Vulnerabilities

Page 1 of 8
CVE-2018-5752P3HIGHCVSS 8.8PoC≤ 7.6.3v7.6.3+4 more2018-06-16
CVE-2018-5752 [HIGH] CWE-918 CVE-2018-5752: The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses.
nvd
CVE-2018-5751P3MEDIUMCVSS 6.5PoC≤ 7.6.3v7.6.3+4 more2018-06-16
CVE-2018-5751 [MEDIUM] CWE-200 CVE-2018-5751: The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.
nvd
CVE-2018-5753P3MEDIUMCVSS 6.5PoC≤ 7.6.3v7.6.3+4 more2018-06-16
CVE-2018-5753 [MEDIUM] CWE-20 CVE-2018-5753: The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7. The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.
nvd
CVE-2020-24701P3MEDIUMCVSS 6.1PoC≤ 7.10.42021-01-12
CVE-2020-24701 [MEDIUM] CWE-79 CVE-2020-24701: OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).
nvd
CVE-2017-17062P3MEDIUMCVSS 6.5PoC≤ 7.6.3v7.6.3+4 more2018-06-16
CVE-2017-17062 [MEDIUM] CWE-79 CVE-2017-17062: The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.
nvd
CVE-2018-5755P3MEDIUMCVSS 5.5PoC≤ 7.6.3v7.8.0+3 more2018-06-16
CVE-2018-5755 [MEDIUM] CWE-22 CVE-2018-5755: Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite bef Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet.
nvd
CVE-2016-5740P3MEDIUMCVSS 6.1PoC≤ 7.8.22016-12-15
CVE-2016-5740 [MEDIUM] CWE-79 CVE-2016-5740: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's cur
nvd
CVE-2018-5756P3MEDIUMCVSS 4.3PoC≤ 7.6.3v7.6.3+4 more2018-06-16
CVE-2018-5756 [MEDIUM] CWE-269 CVE-2018-5756: The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks.
nvd
CVE-2023-26452P3HIGHCVSS 8.8fixed in 7.10.6v7.10.62023-11-02
CVE-2023-26452 [HIGH] CWE-89 CVE-2023-26452: Requests to cache an image and return its metadata could be abused to include SQL queries that would Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the servic
nvd
CVE-2023-26453P3HIGHCVSS 8.8fixed in 7.10.6v7.10.62023-11-02
CVE-2023-26453 [HIGH] CWE-89 CVE-2023-26453: Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account.
nvd
CVE-2023-26454P3HIGHCVSS 8.8fixed in 7.10.6v7.10.62023-11-02
CVE-2023-26454 [HIGH] CWE-89 CVE-2023-26454: Requests to fetch image metadata could be abused to include SQL queries that would be executed unche Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user a
nvd
CVE-2018-5754P4MEDIUMCVSS 5.4PoC≤ 7.8.3v7.8.3+1 more2018-06-16
CVE-2018-5754 [MEDIUM] CWE-79 CVE-2018-5754: Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite be Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.
nvd
CVE-2019-7158P3CRITICALCVSS 9.8≤ 7.10.02019-06-17
CVE-2019-7158 [CRITICAL] CVE-2019-7158: OX App Suite 7.10.0 and earlier has Incorrect Access Control. OX App Suite 7.10.0 and earlier has Incorrect Access Control.
nvd
CVE-2017-5863P3CRITICALCVSS 9.8≤ 7.8.32019-05-22
CVE-2017-5863 [CRITICAL] CWE-284 CVE-2017-5863: Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
nvd
CVE-2017-5212P3CRITICALCVSS 9.8v7.8.32019-05-23
CVE-2017-5212 [CRITICAL] CWE-284 CVE-2017-5212: Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control. Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control.
nvd
CVE-2023-29047P3HIGHCVSS 7.3fixed in 7.10.6v7.10.62023-11-02
CVE-2023-29047 [HIGH] CWE-89 CVE-2023-29047: Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing c Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account. None No publicly
nvd
CVE-2017-6912P3HIGHCVSS 8.8≤ 7.8.32019-05-22
CVE-2017-6912 [HIGH] CWE-284 CVE-2017-6912: Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
nvd
CVE-2017-8340P3HIGHCVSS 8.8≤ 7.8.32019-05-22
CVE-2017-8340 [HIGH] CWE-284 CVE-2017-8340: Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control.
nvd
CVE-2017-13667P3CRITICALCVSS 9.9≤ 7.8.42019-05-23
CVE-2017-13667 [CRITICAL] CWE-918 CVE-2017-13667: OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF.
nvd
CVE-2020-12645P3CRITICALCVSS 9.8≥ 7.10.1, ≤ 7.10.32020-08-31
CVE-2020-12645 [CRITICAL] CWE-307 CVE-2020-12645: OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agen OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.
nvd