Filtered by vendor Open-xchange
Subscriptions
Filtered by product Open-xchange Appsuite
Subscriptions
Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-29047 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-06-12 | 5.3 Medium |
| Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account. None No publicly available exploits are known. | ||||
| CVE-2023-41708 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-05-06 | 5.4 Medium |
| References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available exploits are known. | ||||
| CVE-2015-1588 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21. | ||||
| CVE-2022-29853 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.4 Medium |
| OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. | ||||
| CVE-2022-29852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.4 Medium |
| OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. | ||||
| CVE-2022-37313 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | ||||
| CVE-2022-37312 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | ||||
| CVE-2022-37311 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 5.3 Medium |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | ||||
| CVE-2022-37310 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | ||||
| CVE-2022-37309 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. | ||||
| CVE-2022-37308 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | ||||
| CVE-2022-37307 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | ||||
| CVE-2022-31469 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. | ||||
| CVE-2016-6844 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-6842 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-6848 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution. | ||||
| CVE-2014-7871 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call. | ||||
| CVE-2016-6845 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a proper location. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | ||||
| CVE-2016-4048 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow instructions injected by third parties as part of social engineering attacks. | ||||
| CVE-2016-6852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | N/A |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. | ||||