Open-Xchange Appsuite vulnerabilities
146 known vulnerabilities affecting open-xchange/open-xchange_appsuite.
Total CVEs
146
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH17MEDIUM117LOW5
Vulnerabilities
Page 4 of 8
CVE-2018-9997P4MEDIUMCVSS 6.1≤ 7.6.3v7.6.3-rev14+75 more2018-07-05
CVE-2018-9997 [MEDIUM] CWE-79 CVE-2018-9997: Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-r
Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets.
nvd
CVE-2013-6242P4MEDIUMCVSS 6.1v6.22.3v6.22.4+2 more2020-01-02
CVE-2013-6242 [MEDIUM] CWE-79 CVE-2013-6242: Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the body of the email and the publication name were SPLIT from this CVE ID becaus
nvd
CVE-2021-23931P4MEDIUMCVSS 6.1≤ 7.10.32021-01-12
CVE-2021-23931 [MEDIUM] CWE-79 CVE-2021-23931: OX App Suite through 7.10.4 allows XSS via an inline binary file.
OX App Suite through 7.10.4 allows XSS via an inline binary file.
nvd
CVE-2021-23930P4MEDIUMCVSS 6.1≤ 7.10.32021-01-12
CVE-2021-23930 [MEDIUM] CWE-79 CVE-2021-23930: OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
nvd
CVE-2021-23934P4MEDIUMCVSS 6.1≤ 7.10.32021-01-12
CVE-2021-23934 [MEDIUM] CWE-79 CVE-2021-23934: OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
nvd
CVE-2021-23935P4MEDIUMCVSS 6.1≤ 7.10.32021-01-12
CVE-2021-23935 [MEDIUM] CWE-79 CVE-2021-23935: OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript
OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.
nvd
CVE-2021-31934P4MEDIUMCVSS 6.1≤ 7.10.42021-04-30
CVE-2021-31934 [MEDIUM] CWE-79 CVE-2021-31934: OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or
OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.
nvd
CVE-2016-6850P4MEDIUMCVSS 6.1≤ 7.8.22016-12-15
CVE-2016-6850 [MEDIUM] CWE-79 CVE-2016-6850: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as pro
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's con
nvd
CVE-2016-6843P4MEDIUMCVSS 6.1≤ 7.8.22016-12-15
CVE-2016-6843 [MEDIUM] CWE-79 CVE-2016-6843: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a user with elevated permissions. Malicious script code can b
nvd
CVE-2016-6842P4MEDIUMCVSS 6.1≤ 7.8.22016-12-15
CVE-2016-6842 [MEDIUM] CWE-79 CVE-2016-6842: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to J
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijackin
nvd
CVE-2016-6844P4MEDIUMCVSS 6.1≤ 7.8.22016-12-15
CVE-2016-6844 [MEDIUM] CWE-79 CVE-2016-6844: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to
nvd
CVE-2022-37310P4MEDIUMCVSS 6.1fixed in 7.10.5v7.10.5+1 more2022-12-26
CVE-2022-37310 [MEDIUM] CWE-79 CVE-2022-37310: OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
nvd
CVE-2014-2078P4MEDIUMCVSS 5.3v7.4.22018-04-10
CVE-2014-2078 [MEDIUM] CWE-200 CVE-2014-2078: The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain
The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email addresses in opportunistic circumstances by leveraging a failure in e-mail auto configuration for external accounts.
nvd
CVE-2016-3173P4MEDIUMCVSS 5.4≤ 7.8.02016-12-15
CVE-2016-3173 [MEDIUM] CWE-79 CVE-2016-3173: An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be execute
nvd
CVE-2022-37311P4MEDIUMCVSS 5.3fixed in 7.10.5v7.10.5+1 more2022-12-26
CVE-2022-37311 [MEDIUM] CWE-1284 CVE-2022-37311: OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request param
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.
nvd
CVE-2022-37313P4MEDIUMCVSS 5.3fixed in 7.10.5v7.10.5+1 more2022-12-26
CVE-2022-37313 [MEDIUM] CWE-918 CVE-2022-37313: OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the f
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
nvd
CVE-2013-7485P4MEDIUMCVSS 6.1v7.2.2v7.4.02020-01-02
CVE-2013-7485 [MEDIUM] CVE-2013-7485: Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16 allows remote attackers to inject arbitrary web script or HTML via the publication name, which is not properly handled in an error message. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects differen
nvd
CVE-2013-7486P4MEDIUMCVSS 6.1v7.2.2v7.4.02020-01-02
CVE-2013-7486 [MEDIUM] CVE-2013-7486: Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions.
nvd
CVE-2015-1588P4MEDIUMCVSS 6.1≤ 7.4.2v7.6.0+1 more2017-06-08
CVE-2015-1588 [MEDIUM] CWE-79 CVE-2015-1588: Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before
Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21.
nvd
CVE-2021-23928P4MEDIUMCVSS 6.1≤ 7.10.32021-01-12
CVE-2021-23928 [MEDIUM] CWE-79 CVE-2021-23928: OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
nvd