Open-Xchange Appsuite vulnerabilities

CVE-2021-23927 [MEDIUM] CWE-918 CVE-2021-23927: OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.

CVE-2020-24701 [MEDIUM] CWE-79 CVE-2020-24701: OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

CVE-2021-23933 [MEDIUM] CWE-79 CVE-2021-23933: OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.

CVE-2020-24700 [MEDIUM] CWE-918 CVE-2020-24700: OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.

CVE-2020-15004 [MEDIUM] CWE-79 CVE-2020-15004: OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.

CVE-2020-15002 [MEDIUM] CWE-918 CVE-2020-15002: OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API. OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.

CVE-2020-15003 [MEDIUM] CVE-2020-15003: OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access).

CVE-2020-12645 [CRITICAL] CWE-307 CVE-2020-12645: OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agen OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.

CVE-2020-12643 [MEDIUM] CWE-639 CVE-2020-12643: OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.

CVE-2020-12644 [MEDIUM] CWE-918 CVE-2020-12644: OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list AP OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.

CVE-2020-12646 [MEDIUM] CWE-79 CVE-2020-12646: OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document. OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.

CVE-2020-8543 [HIGH] CWE-20 CVE-2020-8543: OX App Suite through 7.10.3 has Improper Input Validation. OX App Suite through 7.10.3 has Improper Input Validation.

CVE-2014-5236 [HIGH] CWE-22 CVE-2014-5236: Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file.

CVE-2014-5238 [HIGH] CWE-611 CVE-2014-5238: XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x b XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document.

CVE-2019-16716 [MEDIUM] CWE-276 CVE-2019-16716: OX App Suite through 7.10.2 has Incorrect Access Control. OX App Suite through 7.10.2 has Incorrect Access Control.

CVE-2013-7485 [MEDIUM] CVE-2013-7485: Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7 Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects differen

CVE-2013-6242 [MEDIUM] CWE-79 CVE-2013-6242: Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the body of the email and the publication name were SPLIT from this CVE ID becaus

CVE-2013-7486 [MEDIUM] CVE-2013-7486: Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7 Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions.

CVE-2019-14226 [HIGH] CWE-281 CVE-2019-14226: OX App Suite through 7.10.2 has Insecure Permissions. OX App Suite through 7.10.2 has Insecure Permissions.

CVE-2019-11806 [LOW] CWE-732 CVE-2019-11806: OX App Suite 7.10.1 and earlier has Insecure Permissions. OX App Suite 7.10.1 and earlier has Insecure Permissions.