Open-Xchange Appsuite vulnerabilities

CVE-2023-41706 [MEDIUM] CWE-400 CVE-2023-41706: Processing time of drive search expressions now gets monitored, and the related request is terminate Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined drive search expressions is not limited No publicly avai

CVE-2023-41708 [MEDIUM] CWE-79 CVE-2023-41708: References to the "app loader" functionality could contain redirects to unexpected locations. Attack References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available

CVE-2023-41704 [MEDIUM] CWE-79 CVE-2023-41704: Processing of CID references at E-Mail can be abused to inject malicious script code that passes the Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content

CVE-2023-41707 [MEDIUM] CWE-400 CVE-2023-41707: Processing of user-defined mail search expressions is not limited. Availability of OX App Suite coul Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly avail

CVE-2023-41703 [MEDIUM] CWE-79 CVE-2023-41703: User ID references at mentions in document comments were not correctly sanitized. Script code could User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content. No publicly available

CVE-2023-41705 [MEDIUM] CWE-400 CVE-2023-41705: Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available expl

CVE-2023-26452 [HIGH] CWE-89 CVE-2023-26452: Requests to cache an image and return its metadata could be abused to include SQL queries that would Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the servic

CVE-2023-26455 [HIGH] CWE-287 CVE-2023-26455: RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers wit RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are kno

CVE-2023-26453 [HIGH] CWE-89 CVE-2023-26453: Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account.

CVE-2023-26454 [HIGH] CWE-89 CVE-2023-26454: Requests to fetch image metadata could be abused to include SQL queries that would be executed unche Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user a

CVE-2023-29047 [HIGH] CWE-89 CVE-2023-29047: Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing c Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account. None No publicly

CVE-2023-29044 [MEDIUM] CWE-79 CVE-2023-29044: Documents operations could be manipulated to contain invalid data types, possibly script code. Scrip Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get escaped to avoid code execution. No publicly available e

CVE-2023-29045 [MEDIUM] CWE-79 CVE-2023-29045: Documents operations, in this case "drawing", could be manipulated to contain invalid data types, po Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now gets checked for validity to avoid

CVE-2023-29046 [MEDIUM] CWE-400 CVE-2023-29046: Connections to external data sources, like e-mail autoconfiguration, were not terminated in case the Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amoun

CVE-2022-37308 [MEDIUM] CWE-79 CVE-2022-37308: OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.

CVE-2022-37310 [MEDIUM] CWE-79 CVE-2022-37310: OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.

CVE-2022-37311 [MEDIUM] CWE-1284 CVE-2022-37311: OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request param OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.

CVE-2022-31469 [MEDIUM] CWE-79 CVE-2022-31469: OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.

CVE-2022-37307 [MEDIUM] CWE-79 CVE-2022-37307: OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.

CVE-2022-37313 [MEDIUM] CWE-918 CVE-2022-37313: OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the f OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.