Open-Xchange Gmbh Ox App Suite vulnerabilities

CVE-2025-59026 [MEDIUM] CWE-79 CVE-2025-59026: Malicious content uploaded as file can be used to execute script code when following attacker-contro Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known

CVE-2025-30190 [MEDIUM] CWE-79 CVE-2025-30190: Malicious content at office documents can be used to inject script code when editing a document. Uni Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known

CVE-2025-59025 [MEDIUM] CWE-79 CVE-2025-59025: Malicious e-mail content can be used to execute script code. Unintended actions can be executed in t Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known

CVE-2025-30186 [MEDIUM] CWE-79 CVE-2025-30186: Malicious content uploaded as file can be used to execute script code when following attacker-contro Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known

CVE-2025-30188 [HIGH] CWE-400 CVE-2025-30188: Malicious or unintentional API requests can be used to add significant amount of data to caches. Cac Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known

CVE-2025-30191 [MEDIUM] CWE-1021 CVE-2025-30191: Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to pe Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known

CVE-2024-25582 [MEDIUM] CWE-79 CVE-2024-25582: Module savepoints could be abused to inject references to malicious code delivered through the same Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malic

CVE-2024-23188 [MEDIUM] CWE-79 CVE-2024-23188: Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releas

CVE-2024-23187 [MEDIUM] CWE-79 CVE-2024-23187: Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script cod Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replac

CVE-2024-23186 [MEDIUM] CWE-79 CVE-2024-23186: E-Mail containing malicious display-name information could trigger client-side script execution when E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding di

CVE-2024-23193 [MEDIUM] CWE-200 CVE-2024-23193: E-Mails exported as PDF were stored in a cache that did not consider specific session information fo E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple reque

CVE-2024-23189 [MEDIUM] CWE-79 CVE-2024-23189: Embedded content references at tasks could be used to temporarily execute script code in the context Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content. Attacker

CVE-2024-23192 [MEDIUM] CWE-79 CVE-2024-23192: RSS feeds that contain malicious data- attributes could be abused to inject script code to a users b RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases.

CVE-2024-23191 [MEDIUM] CWE-79 CVE-2024-23191: Upsell advertisement information of an account can be manipulated to execute script code in the cont Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests

CVE-2024-23190 [MEDIUM] CWE-79 CVE-2024-23190: Upsell shop information of an account can be manipulated to execute script code in the context of th Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extrac

CVE-2023-41706 [MEDIUM] CWE-400 CVE-2023-41706: Processing time of drive search expressions now gets monitored, and the related request is terminate Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined drive search expressions is not limited No publicly avai

CVE-2023-41708 [MEDIUM] CWE-79 CVE-2023-41708: References to the "app loader" functionality could contain redirects to unexpected locations. Attack References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available

CVE-2023-41704 [MEDIUM] CWE-79 CVE-2023-41704: Processing of CID references at E-Mail can be abused to inject malicious script code that passes the Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content

CVE-2023-41707 [MEDIUM] CWE-400 CVE-2023-41707: Processing of user-defined mail search expressions is not limited. Availability of OX App Suite coul Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly avail

CVE-2023-41705 [MEDIUM] CWE-400 CVE-2023-41705: Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available expl