Filtered by vendor Open-xchange
Subscriptions
Filtered by product Ox App Suite
Subscriptions
Total
53 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24605 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.2 Medium |
| OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | ||||
| CVE-2023-24604 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.3 Medium |
| OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. | ||||
| CVE-2023-24603 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 6.5 Medium |
| OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data. | ||||
| CVE-2023-24599 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.3 Medium |
| OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion." | ||||
| CVE-2023-24598 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.3 Medium |
| OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. | ||||
| CVE-2023-24597 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 5.3 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. | ||||
| CVE-2023-24600 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 4.3 Medium |
| OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. | ||||
| CVE-2023-24601 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 6.1 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | ||||
| CVE-2023-24602 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 6.1 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | ||||
| CVE-2023-29050 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 7.6 High |
| The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known. | ||||
| CVE-2022-24406 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.5 Medium |
| OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls. | ||||
| CVE-2022-24405 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 9.8 Critical |
| OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. | ||||
| CVE-2022-23101 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message. | ||||
| CVE-2022-23100 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 9.8 Critical |
| OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). | ||||
| CVE-2021-44213 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message. | ||||
| CVE-2021-44212 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring. | ||||
| CVE-2021-44211 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 5.4 Medium |
| OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature. | ||||
| CVE-2021-44210 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data. | ||||
| CVE-2021-44209 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO. | ||||
| CVE-2021-44208 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat. | ||||