Filtered by vendor Open-xchange
Subscriptions
Total
255 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-6852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. | ||||
| CVE-2014-2393 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment. | ||||
| CVE-2014-2392 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. | ||||
| CVE-2016-6851 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already. | ||||
| CVE-2016-6853 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2015-5375 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties. | ||||
| CVE-2014-2391 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request. | ||||
| CVE-2016-6848 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution. | ||||
| CVE-2014-2077 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8 allows remote attackers to inject arbitrary web script or HTML via the subject of an email, involving 'the aria "tags" for screenreaders at the top bar'. | ||||
| CVE-2016-3173 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Users actively need to add a file to the portal to enable this attack. In case of shared files however, a internal attacker may modify a previously embedded file to carry a malicious file name. Furthermore this vulnerability can be used to persistently execute code that got injected by a temporary script execution vulnerability. | ||||
| CVE-2014-1679 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file. | ||||
| CVE-2016-6845 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a proper location. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-6850 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-4028 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user's "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker. | ||||
| CVE-2016-6854 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2013-1649 | 1 Open-xchange | 1 Open-xchange Server | 2025-04-11 | N/A |
| Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses the crypt and SHA-1 algorithms for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. | ||||
| CVE-2013-5200 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-11 | N/A |
| The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 do not require authentication, which allows remote attackers to obtain sensitive information or modify data via an API call. | ||||
| CVE-2013-7143 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule. | ||||
| CVE-2013-7142 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions. | ||||
| CVE-2013-5035 | 2 Htmlcleaner Project, Open-xchange | 2 Htmlcleaner, Open-xchange Appsuite | 2025-04-11 | N/A |
| Multiple race conditions in HtmlCleaner before 2.6, as used in Open-Xchange AppSuite 7.2.2 before rev13 and other products, allow remote authenticated users to read the private e-mail of other persons in opportunistic circumstances by leveraging lack of thread safety and performing a rapid series of (1) mail-sending or (2) draft-saving operations. | ||||