Open-Xchange Appsuite vulnerabilities

CVE-2017-12885 [MEDIUM] CWE-79 CVE-2017-12885: OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS). OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

CVE-2018-13104 [MEDIUM] CWE-79 CVE-2018-13104: OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 (Bug ID) OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 (Bug ID)

CVE-2018-12611 [MEDIUM] CWE-79 CVE-2018-12611: OX App Suite 7.8.4 and earlier allows Directory Traversal. OX App Suite 7.8.4 and earlier allows Directory Traversal.

CVE-2018-12610 [MEDIUM] CWE-200 CVE-2018-12610: OX App Suite 7.8.4 and earlier allows Information Exposure. OX App Suite 7.8.4 and earlier allows Information Exposure.

CVE-2018-12609 [MEDIUM] CWE-918 CVE-2018-12609: OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery. OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery.

CVE-2017-6913 [MEDIUM] CWE-79 CVE-2017-6913: Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remot Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.

CVE-2018-9998 [MEDIUM] CWE-200 CVE-2018-9998: Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, an Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks.

CVE-2018-9997 [MEDIUM] CWE-79 CVE-2018-9997: Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-r Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets.

CVE-2018-5752 [HIGH] CWE-918 CVE-2018-5752: The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses.

CVE-2018-5751 [MEDIUM] CWE-200 CVE-2018-5751: The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.

CVE-2017-17062 [MEDIUM] CWE-79 CVE-2017-17062: The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.

CVE-2018-5754 [MEDIUM] CWE-79 CVE-2018-5754: Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite be Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.

CVE-2018-5756 [MEDIUM] CWE-269 CVE-2018-5756: The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8 The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks.

CVE-2018-5755 [MEDIUM] CWE-22 CVE-2018-5755: Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite bef Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet.

CVE-2018-5753 [MEDIUM] CWE-20 CVE-2018-5753: The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7. The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.

CVE-2014-2078 [MEDIUM] CWE-200 CVE-2014-2078: The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email addresses in opportunistic circumstances by leveraging a failure in e-mail auto configuration for external accounts.

CVE-2015-1588 [MEDIUM] CWE-79 CVE-2015-1588: Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21.

CVE-2016-3174 [HIGH] CWE-601 CVE-2016-3174: An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers t An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability

CVE-2016-2840 [MEDIUM] CWE-79 CVE-2016-2840: An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" par An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, t

CVE-2016-4046 [MEDIUM] CWE-918 CVE-2016-4046: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure extern An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existence of h