cbcvebase.

Open-Xchange Gmbh Ox App Suite vulnerabilities

27 known vulnerabilities affecting open-xchange_gmbh/ox_app_suite.

Total CVEs
27
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM23

Vulnerabilities

Page 1 of 2
CVE-2023-29048P2HIGHCVSS 8.8≤ 7.10.6-rev502024-01-08
CVE-2023-29048 [HIGH] CWE-78 CVE-2023-29048: A component for parsing OXMF templates could be abused to execute arbitrary system commands that wou A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine
nvd
CVE-2023-29050P3CRITICALCVSS 9.6≤ 7.10.6-rev502024-01-08
CVE-2023-29050 [CRITICAL] CWE-90 CVE-2023-29050: The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter stri The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has bee
nvd
CVE-2023-29051P3HIGHCVSS 8.1≤ 7.10.6-rev512024-01-08
CVE-2023-29051 [HIGH] CWE-284 CVE-2023-29051: User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users and contexts. We now make sure that the switch to disabl
nvd
CVE-2025-30188P3HIGHCVSS 7.5≤ 2.1.72025-10-31
CVE-2025-30188 [HIGH] CWE-400 CVE-2025-30188: Malicious or unintentional API requests can be used to add significant amount of data to caches. Cac Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known
nvd
CVE-2024-23188P3MEDIUMCVSS 6.5≤ 8.212024-05-06
CVE-2024-23188 [MEDIUM] CWE-79 CVE-2024-23188: Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releas
nvd
CVE-2023-41705P4MEDIUMCVSS 6.5≤ 7.10.6-rev552024-02-12
CVE-2023-41705 [MEDIUM] CWE-400 CVE-2023-41705: Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available expl
nvd
CVE-2023-41706P4MEDIUMCVSS 6.5≤ 7.10.6-rev552024-02-12
CVE-2023-41706 [MEDIUM] CWE-400 CVE-2023-41706: Processing time of drive search expressions now gets monitored, and the related request is terminate Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined drive search expressions is not limited No publicly avai
nvd
CVE-2023-41707P4MEDIUMCVSS 6.5≤ 7.10.6-rev552024-02-12
CVE-2023-41707 [MEDIUM] CWE-400 CVE-2023-41707: Processing of user-defined mail search expressions is not limited. Availability of OX App Suite coul Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly avail
nvd
CVE-2023-29049P4MEDIUMCVSS 6.1≤ 7.10.6-rev332024-01-08
CVE-2023-29049 [MEDIUM] CWE-79 CVE-2023-29049: The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers th The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid mal
nvd
CVE-2024-23186P4MEDIUMCVSS 6.1≤ 8.212024-05-06
CVE-2024-23186 [MEDIUM] CWE-79 CVE-2024-23186: E-Mail containing malicious display-name information could trigger client-side script execution when E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding di
nvd
CVE-2024-23192P4MEDIUMCVSS 6.1≤ 7.10.6-rev402024-04-08
CVE-2024-23192 [MEDIUM] CWE-79 CVE-2024-23192: RSS feeds that contain malicious data- attributes could be abused to inject script code to a users b RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases.
nvd
CVE-2024-23187P4MEDIUMCVSS 6.1≤ 8.212024-05-06
CVE-2024-23187 [MEDIUM] CWE-79 CVE-2024-23187: Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script cod Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replac
nvd
CVE-2025-59025P4MEDIUMCVSS 6.1≤ 8.35.1102025-11-27
CVE-2025-59025 [MEDIUM] CWE-79 CVE-2025-59025: Malicious e-mail content can be used to execute script code. Unintended actions can be executed in t Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known
nvd
CVE-2024-23189P4MEDIUMCVSS 5.4≤ 7.10.6-rev402024-04-08
CVE-2024-23189 [MEDIUM] CWE-79 CVE-2024-23189: Embedded content references at tasks could be used to temporarily execute script code in the context Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content. Attacker
nvd
CVE-2024-23191P4MEDIUMCVSS 5.4≤ 7.10.6-rev402024-04-08
CVE-2024-23191 [MEDIUM] CWE-79 CVE-2024-23191: Upsell advertisement information of an account can be manipulated to execute script code in the cont Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests
nvd
CVE-2024-23190P4MEDIUMCVSS 5.4≤ 7.10.6-rev402024-04-08
CVE-2024-23190 [MEDIUM] CWE-79 CVE-2024-23190: Upsell shop information of an account can be manipulated to execute script code in the context of th Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extrac
nvd
CVE-2024-25582P4MEDIUMCVSS 5.4≤ 7.10.6-rev422024-08-19
CVE-2024-25582 [MEDIUM] CWE-79 CVE-2024-25582: Module savepoints could be abused to inject references to malicious code delivered through the same Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malic
nvd
CVE-2024-23193P4MEDIUMCVSS 5.3≤ 8.212024-05-06
CVE-2024-23193 [MEDIUM] CWE-200 CVE-2024-23193: E-Mails exported as PDF were stored in a cache that did not consider specific session information fo E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple reque
nvd
CVE-2025-59026P4MEDIUMCVSS 5.4≤ 8.35.1102025-11-27
CVE-2025-59026 [MEDIUM] CWE-79 CVE-2025-59026: Malicious content uploaded as file can be used to execute script code when following attacker-contro Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known
nvd
CVE-2025-30186P4MEDIUMCVSS 5.4≤ 8.35.1072025-11-27
CVE-2025-30186 [MEDIUM] CWE-79 CVE-2025-30186: Malicious content uploaded as file can be used to execute script code when following attacker-contro Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known
nvd
Open-Xchange Gmbh Ox App Suite vulnerabilities | cvebase