Filtered by vendor Open-xchange
Subscribe
Total
246 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31468 | 1 Open-xchange | 1 Ox App Suite | 2025-05-09 | N/A | 6.1 MEDIUM |
| OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. | |||||
| CVE-2022-29851 | 1 Open-xchange | 1 Ox App Suite | 2025-05-07 | N/A | 9.8 CRITICAL |
| documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as a PDF document. | |||||
| CVE-2024-4367 | 3 Debian, Mozilla, Open-xchange | 4 Debian Linux, Firefox, Thunderbird and 1 more | 2025-04-24 | N/A | 8.8 HIGH |
| A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. | |||||
| CVE-2016-6846 | 1 Open-xchange | 4 Documentconverter-api, Office Web, Open-xchange Appsuite Backend and 1 more | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2015-1588 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21. | |||||
| CVE-2022-37312 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.3 MEDIUM |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | |||||
| CVE-2022-37311 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.3 MEDIUM |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | |||||
| CVE-2016-4048 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow instructions injected by third parties as part of social engineering attacks. | |||||
| CVE-2014-7871 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call. | |||||
| CVE-2014-5235 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds. | |||||
| CVE-2014-5237 | 1 Open-xchange | 1 App Suite | 2025-04-12 | 4.3 MEDIUM | N/A |
| Server-side request forgery (SSRF) vulnerability in the documentconverter component in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allows remote attackers to trigger requests to arbitrary servers and embed arbitrary images via a URL in an embedded image in a Text document, which is not properly handled by the image preview. | |||||
| CVE-2016-6853 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||
| CVE-2016-4028 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 3.5 LOW | 7.5 HIGH |
| An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user's "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker. | |||||
| CVE-2016-6848 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 1.9 LOW | 5.5 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution. | |||||
| CVE-2016-6852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. | |||||
| CVE-2014-1679 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file. | |||||
| CVE-2015-5375 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties. | |||||
| CVE-2014-9466 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.0 MEDIUM | N/A |
| Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14 does not properly handle directory permissions, which allows remote authenticated users to read files via unspecified vectors, related to the "folder identifier." | |||||
| CVE-2016-6842 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||
| CVE-2016-6854 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||