Search Results (278 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2015-1588 1 Open-xchange 2 Open-xchange Appsuite, Open-xchange Server 2025-04-20 N/A
Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21.
CVE-2023-29049 1 Open-xchange 1 Ox App Suite 2025-04-17 5.4 Medium
The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.
CVE-2022-29853 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.4 Medium
OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.
CVE-2022-29852 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.4 Medium
OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.
CVE-2022-37313 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.3 Medium
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
CVE-2022-37312 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.3 Medium
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.
CVE-2022-37311 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.3 Medium
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.
CVE-2022-37310 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
CVE-2022-37309 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.
CVE-2022-37308 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.
CVE-2022-37307 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.
CVE-2022-31469 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.
CVE-2014-9466 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14 does not properly handle directory permissions, which allows remote authenticated users to read files via unspecified vectors, related to the "folder identifier."
CVE-2016-6848 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution.
CVE-2016-6850 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CVE-2014-5237 1 Open-xchange 1 App Suite 2025-04-12 N/A
Server-side request forgery (SSRF) vulnerability in the documentconverter component in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allows remote attackers to trigger requests to arbitrary servers and embed arbitrary images via a URL in an embedded image in a Text document, which is not properly handled by the image preview.
CVE-2014-2077 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8 allows remote attackers to inject arbitrary web script or HTML via the subject of an email, involving 'the aria "tags" for screenreaders at the top bar'.
CVE-2016-6852 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks.
CVE-2016-5124 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially crafted website and add it to HTML editor areas of OX App Suite, for example E-Mail Compose or OX Text. This specific attack circumvents typical XSS filters and detection mechanisms since the code is not loaded from an external service but injected locally. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this vulnerability, a attacker needs to convince a user to follow specific steps (social-engineering).
CVE-2014-2392 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.