Filtered by vendor Open-xchange
Subscribe
Total
246 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-24600 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.3 MEDIUM |
OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. | |||||
CVE-2023-24597 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 5.3 MEDIUM |
OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. | |||||
CVE-2022-43699 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.3 MEDIUM |
OX App Suite before 7.10.6-rev30 allows SSRF because e-mail account discovery disregards the deny-list and thus can be attacked by an adversary who controls the DNS records of an external domain (found in the host part of an e-mail address). | |||||
CVE-2023-24603 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 6.5 MEDIUM |
OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data. | |||||
CVE-2022-43698 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.3 MEDIUM |
OX App Suite before 7.10.6-rev30 allows SSRF because changing a POP3 account disregards the deny-list. | |||||
CVE-2023-24599 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.3 MEDIUM |
OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion." | |||||
CVE-2023-24602 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | |||||
CVE-2023-24605 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.2 MEDIUM |
OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | |||||
CVE-2022-37306 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger. | |||||
CVE-2023-24601 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | |||||
CVE-2023-24604 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.3 MEDIUM |
OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. | |||||
CVE-2023-24598 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 4.3 MEDIUM |
OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. | |||||
CVE-2022-43696 | 1 Open-xchange | 1 Ox App Suite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads. | |||||
CVE-2022-37307 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | |||||
CVE-2022-37308 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | |||||
CVE-2022-29852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 5.4 MEDIUM |
OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. | |||||
CVE-2022-37310 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | |||||
CVE-2022-29853 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 5.4 MEDIUM |
OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. | |||||
CVE-2022-37311 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 5.3 MEDIUM |
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | |||||
CVE-2022-37309 | 1 Open-xchange | 1 Open-xchange Appsuite | 2023-12-10 | N/A | 6.1 MEDIUM |
OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. |