Search Results (278 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-6846 1 Open-xchange 4 Documentconverter-api, Office Web, Open-xchange Appsuite Backend and 1 more 2025-04-20 N/A
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML.
CVE-2023-29049 1 Open-xchange 1 Ox App Suite 2025-04-17 5.4 Medium
The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.
CVE-2022-29853 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.4 Medium
OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.
CVE-2022-29852 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.4 Medium
OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.
CVE-2022-37313 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.3 Medium
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
CVE-2022-37312 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.3 Medium
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.
CVE-2022-37311 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 5.3 Medium
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.
CVE-2022-37310 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
CVE-2022-37309 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.
CVE-2022-37308 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.
CVE-2022-37307 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.
CVE-2022-31469 1 Open-xchange 1 Open-xchange Appsuite 2025-04-14 6.1 Medium
OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.
CVE-2016-6850 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CVE-2016-6851 1 Open-xchange 1 Ox Guard 2025-04-12 N/A
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already.
CVE-2016-4027 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account.
CVE-2016-6847 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CVE-2016-6852 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks.
CVE-2016-6842 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
CVE-2014-8993 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type.
CVE-2014-2391 1 Open-xchange 1 Open-xchange Appsuite 2025-04-12 N/A
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request.