Open-Xchange Appsuite vulnerabilities

CVE-2016-5740 [MEDIUM] CWE-79 CVE-2016-5740: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's cur

CVE-2016-4047 [MEDIUM] CWE-200 CVE-2016-4047: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a

CVE-2016-6850 [MEDIUM] CWE-79 CVE-2016-6850: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as pro An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's con

CVE-2016-4048 [MEDIUM] CVE-2016-4048: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be show An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow instructions injected by third parties as part of social engineering attacks.

CVE-2016-6843 [MEDIUM] CWE-79 CVE-2016-6843: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a user with elevated permissions. Malicious script code can b

CVE-2016-6848 [MEDIUM] CWE-254 CVE-2016-6848: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead t

CVE-2016-6845 [MEDIUM] CWE-79 CVE-2016-6845: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlink An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a proper location. Malicious script code can be executed w

CVE-2016-6842 [MEDIUM] CWE-79 CVE-2016-6842: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to J An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijackin

CVE-2016-6852 [MEDIUM] CWE-200 CVE-2016-6852: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks.

CVE-2016-4045 [MEDIUM] CWE-79 CVE-2016-4045: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed within a user's context. This can lead to session hijack

CVE-2016-6847 [MEDIUM] CWE-79 CVE-2016-6847: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actio

CVE-2016-6844 [MEDIUM] CWE-79 CVE-2016-6844: An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to

CVE-2016-5124 [MEDIUM] CWE-79 CVE-2016-5124: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially crafted website and add it to HTML editor areas of OX App

CVE-2016-3173 [MEDIUM] CWE-79 CVE-2016-3173: An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be execute

CVE-2016-4026 [MEDIUM] CWE-79 CVE-2016-4026: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer compo An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to se

CVE-2016-4027 [LOW] CWE-200 CVE-2016-4027: An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers t An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stor

CVE-2015-5375 [MEDIUM] CWE-79 CVE-2015-5375: Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front En Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object propert

CVE-2014-9466 [MEDIUM] CWE-264 CVE-2014-9466: Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14 does not properly handle directory permissions, which allows remote authenticated users to read files via unspecified vectors, related to the "folder identifier."

CVE-2014-8993 [MEDIUM] CWE-79 CVE-2014-8993: Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-r Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type.

CVE-2014-1679 [MEDIUM] CWE-79 CVE-2014-1679: Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 bef Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file.