Open-Xchange Appsuite vulnerabilities
146 known vulnerabilities affecting open-xchange/open-xchange_appsuite.
Total CVEs
146
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH17MEDIUM117LOW5
Vulnerabilities
Page 3 of 8
CVE-2018-9998P4MEDIUMCVSS 6.5≤ 7.6.3v7.6.3-rev14+87 more2018-07-05
CVE-2018-9998 [MEDIUM] CWE-200 CVE-2018-9998: Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, an
Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks.
nvd
CVE-2020-24700P4MEDIUMCVSS 5.4≤ 7.10.32021-01-12
CVE-2020-24700 [MEDIUM] CWE-918 CVE-2020-24700: OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with
OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.
nvd
CVE-2016-4046P4MEDIUMCVSS 5.8≤ 7.8.12016-12-15
CVE-2016-4046 [MEDIUM] CWE-918 CVE-2016-4046: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure extern
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existence of h
nvd
CVE-2018-12611P4MEDIUMCVSS 6.1≤ 7.8.42019-01-30
CVE-2018-12611 [MEDIUM] CWE-79 CVE-2018-12611: OX App Suite 7.8.4 and earlier allows Directory Traversal.
OX App Suite 7.8.4 and earlier allows Directory Traversal.
nvd
CVE-2016-2840P4MEDIUMCVSS 6.1≤ 7.8.02016-12-15
CVE-2016-2840 [MEDIUM] CWE-79 CVE-2016-2840: An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" par
An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, t
nvd
CVE-2021-26698P4MEDIUMCVSS 6.1v7.10.3v7.10.42021-07-22
CVE-2021-26698 [MEDIUM] CWE-79 CVE-2021-26698: OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.
nvd
CVE-2016-5124P4MEDIUMCVSS 6.1≤ 7.8.12016-12-15
CVE-2016-5124 [MEDIUM] CWE-79 CVE-2016-5124: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially crafted website and add it to HTML editor areas of OX App
nvd
CVE-2023-41704P4MEDIUMCVSS 6.1fixed in 7.6.3fixed in 7.10.6+3 more2024-02-12
CVE-2023-41704 [MEDIUM] CWE-79 CVE-2023-41704: Processing of CID references at E-Mail can be abused to inject malicious script code that passes the
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content
nvd
CVE-2023-41703P4MEDIUMCVSS 6.1fixed in 7.10.6fixed in 8.20+1 more2024-02-12
CVE-2023-41703 [MEDIUM] CWE-79 CVE-2023-41703: User ID references at mentions in document comments were not correctly sanitized. Script code could
User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content. No publicly available
nvd
CVE-2021-26699P4MEDIUMCVSS 5.4v7.10.3v7.10.42021-07-22
CVE-2021-26699 [MEDIUM] CWE-918 CVE-2021-26699: OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document
OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.
nvd
CVE-2023-29044P4MEDIUMCVSS 5.4fixed in 7.10.6v7.10.62023-11-02
CVE-2023-29044 [MEDIUM] CWE-79 CVE-2023-29044: Documents operations could be manipulated to contain invalid data types, possibly script code. Scrip
Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get escaped to avoid code execution. No publicly available e
nvd
CVE-2023-29045P4MEDIUMCVSS 5.4fixed in 7.10.6v7.10.62023-11-02
CVE-2023-29045 [MEDIUM] CWE-79 CVE-2023-29045: Documents operations, in this case "drawing", could be manipulated to contain invalid data types, po
Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now gets checked for validity to avoid
nvd
CVE-2021-37403P4MEDIUMCVSS 6.1v7.10.3v7.10.42021-07-22
CVE-2021-37403 [MEDIUM] CWE-79 CVE-2021-37403: OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.
nvd
CVE-2021-37402P4MEDIUMCVSS 6.1v7.10.3v7.10.42021-07-22
CVE-2021-37402 [MEDIUM] CWE-79 CVE-2021-37402: OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is m
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.
nvd
CVE-2016-6845P4MEDIUMCVSS 6.1≤ 7.8.22016-12-15
CVE-2016-6845 [MEDIUM] CWE-79 CVE-2016-6845: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlink
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a proper location. Malicious script code can be executed w
nvd
CVE-2016-4045P4MEDIUMCVSS 6.1≤ 7.8.12016-12-15
CVE-2016-4045 [MEDIUM] CWE-79 CVE-2016-4045: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed within a user's context. This can lead to session hijack
nvd
CVE-2016-6847P4MEDIUMCVSS 6.1≤ 7.8.22016-12-15
CVE-2016-6847 [MEDIUM] CWE-79 CVE-2016-6847: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actio
nvd
CVE-2020-15002P4MEDIUMCVSS 5.0≤ 7.10.32020-10-23
CVE-2020-15002 [MEDIUM] CWE-918 CVE-2020-15002: OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
nvd
CVE-2023-41708P4MEDIUMCVSS 5.4fixed in 7.10.6v7.10.62024-02-12
CVE-2023-41708 [MEDIUM] CWE-79 CVE-2023-41708: References to the "app loader" functionality could contain redirects to unexpected locations. Attack
References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available
nvd
CVE-2020-12644P4MEDIUMCVSS 5.0≤ 7.10.32020-08-31
CVE-2020-12644 [MEDIUM] CWE-918 CVE-2020-12644: OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list AP
OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.
nvd