Open-Xchange Appsuite vulnerabilities

146 known vulnerabilities affecting open-xchange/open-xchange_appsuite.

Total CVEs

146

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL7HIGH17MEDIUM117LOW5

Vulnerabilities

Page 7 of 8

CVE-2013-6241MEDIUMCVSS 4.0v7.2.0v7.2.1+2 more2014-12-27

CVE-2013-6241 [MEDIUM] CWE-200 CVE-2013-6241: The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote authenticated users to obtain sensitive birthday, displayname, firstname, and surname information via a bir

nvd

CVE-2014-7871MEDIUMCVSS 6.5≤ 7.4.2v7.6.02014-11-21

CVE-2014-7871 [MEDIUM] CWE-89 CVE-2014-7871: SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0- SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

nvd

CVE-2014-5234MEDIUMCVSS 4.3≤ 7.4.1v6.20.7+9 more2014-09-17

CVE-2014-5234 [MEDIUM] CWE-79 CVE-2014-5234: Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-r Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name.

nvd

CVE-2014-5235MEDIUMCVSS 4.3≤ 7.4.1v6.20.7+9 more2014-09-17

CVE-2014-5235 [MEDIUM] CWE-79 CVE-2014-5235: Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2- Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds.

nvd

CVE-2014-2392MEDIUMCVSS 4.3≤ 7.2.2v7.2.0+3 more2014-04-24

CVE-2014-2392 [MEDIUM] CWE-200 CVE-2014-2392: The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1 The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.

nvd

CVE-2014-2391MEDIUMCVSS 4.3≤ 7.2.2v7.2.0+3 more2014-04-24

CVE-2014-2391 [MEDIUM] CWE-200 CVE-2014-2391: The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading

nvd

CVE-2014-2393MEDIUMCVSS 4.3≤ 7.2.2v7.2.0+3 more2014-04-24

CVE-2014-2393 [MEDIUM] CWE-79 CVE-2014-2393: Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

nvd

CVE-2014-2077MEDIUMCVSS 4.3v7.4.1v7.4.22014-03-20

CVE-2014-2077 [MEDIUM] CWE-79 CVE-2014-2077: Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8 allows remote attackers to inject arbitrary web script or HTML via the subject of an email, involving 'the aria "tags" for screenreaders at the top bar'.

nvd

CVE-2013-7142MEDIUMCVSS 4.3≤ 7.4.1v6.20.7+8 more2014-01-26

CVE-2013-7142 [MEDIUM] CWE-79 CVE-2013-7142: Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remo Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions.

nvd

CVE-2013-7140MEDIUMCVSS 4.0≤ 7.4.1v6.20.7+8 more2014-01-26

CVE-2013-7140 [MEDIUM] CVE-2013-7140: XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface. NOTE: this issue has been labeled as both absolute path traversal and XXE, but the root cause may be XXE, since XXE

nvd

CVE-2013-7141MEDIUMCVSS 4.3≤ 7.4.1v6.20.7+8 more2014-01-26

CVE-2013-7141 [MEDIUM] CWE-79 CVE-2013-7141: Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remo Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%" tags.

nvd

CVE-2013-7143MEDIUMCVSS 4.3≤ 7.4.1v6.20.7+8 more2014-01-26

CVE-2013-7143 [MEDIUM] CWE-79 CVE-2013-7143: Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule.

nvd

CVE-2013-6997MEDIUMCVSS 4.3≤ 7.4.0v6.20.7+7 more2014-01-09

CVE-2013-6997 [MEDIUM] CWE-79 CVE-2013-6997: Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (OX) AppSuite 7.4.0 and earlier Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (OX) AppSuite 7.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an HTML email with crafted CSS code containing wildcards or (2) office documents containing "crafted hyperlinks with script URL handlers."

nvd

CVE-2013-6074MEDIUMCVSS 4.3v7.2.0v7.2.1+2 more2013-11-20

CVE-2013-6074 [MEDIUM] CWE-79 CVE-2013-6074: Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14 allows remote attackers to inject arbitrary web script or HTML via an attached SVG file.

nvd

CVE-2013-6009MEDIUMCVSS 4.3≤ 7.2.1v6.20.7+5 more2013-10-03

CVE-2013-6009 [MEDIUM] CWE-94 CVE-2013-6009: CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain condit CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the ajax/defer servlet.

nvd

CVE-2013-5690LOWCVSS 3.5≤ 7.2.1v6.20.7+5 more2013-10-03

CVE-2013-5690 [LOW] CWE-79 CVE-2013-5690: Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite before 7.2.2 allow remo Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite before 7.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) content with the text/xml MIME type or (2) the Status comment field of an appointment.

nvd

CVE-2013-5200HIGHCVSS 7.5v7.0.1v7.0.2+2 more2013-09-25

CVE-2013-5200 [HIGH] CWE-287 CVE-2013-5200: The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 do not require authentication, which allows remote attackers to obtain sensitive information or modify data via an API call.

nvd

CVE-2013-5934MEDIUMCVSS 4.0v7.0.1v7.0.2+2 more2013-09-25

CVE-2013-5934 [MEDIUM] CVE-2013-5934: Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 has a hardcoded password Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 has a hardcoded password for node join operations, which allows remote attackers to expand a cluster by finding this password in the source code and then sending the password in a Hazelcast cluster API call, a different vulnerability than CVE-2013-5200.

nvd

CVE-2013-5936MEDIUMCVSS 4.3v7.0.1v7.0.2+2 more2013-09-25

CVE-2013-5936 [MEDIUM] CVE-2013-5936: The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-r The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 allows remote attackers to obtain sensitive information about (1) runtime activity, (2) network configuration, (3) user sessions, (4) the memcache interface, and (5) the REST interface via API calls such as a hazelcast/rest/cluster/ call, a different vulne

nvd

CVE-2013-5935MEDIUMCVSS 4.3v7.0.1v7.0.2+2 more2013-09-25

CVE-2013-5935 [MEDIUM] CVE-2013-5935: The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-r The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 does not properly restrict the set of network interfaces that can receive API calls, which makes it easier for remote attackers to obtain access by sending network traffic from an unintended location, a different vulnerability than CVE-2013-5200.

nvd

← Previous7 / 8Next →