Latest open-xchange open-xchange appsuite Vulnerabilities

CVE-2023-29047
Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent ne...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2023-29046
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoin...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2023-29045
Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users t...
Open-xchange Open-xchange Appsuite<7.10.6
Open-xchange Open-xchange Appsuite=7.10.6
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6069
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6073
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6080
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6085
and 37 more
CVE-2023-29044
Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collabor...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2023-29043
Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious do...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2023-26455
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. R...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2023-26454
Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconver...
Open-xchange Open-xchange Appsuite<7.10.6
Open-xchange Open-xchange Appsuite=7.10.6
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6069
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6073
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6080
Open-xchange Open-xchange Appsuite=7.10.6-patch_release_6085
and 37 more
CVE-2023-26453
Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter se...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2023-26452
Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks ...
<7.10.6
=7.10.6
=7.10.6-patch_release_6069
=7.10.6-patch_release_6073
=7.10.6-patch_release_6080
=7.10.6-patch_release_6085
and 37 more
CVE-2022-29852
OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite>=8.2<8.2.324
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
and 39 more
CVE-2022-37310
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2022-37309
OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2022-37308
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2022-37307
OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2022-37311
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2022-37312
OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2022-37313
OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
Open-xchange Open-xchange Appsuite<7.10.5
Open-xchange Open-xchange Appsuite=7.10.5
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5961
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5973
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5976
Open-xchange Open-xchange Appsuite=7.10.5-patch_release_5982
and 47 more
CVE-2021-26698
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.
Open-xchange Open-xchange Appsuite=7.10.3
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5547
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5572
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5623
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5653
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5677
and 50 more
CVE-2021-37403
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.
Open-xchange Open-xchange Appsuite=7.10.3
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5547
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5572
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5623
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5653
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5677
and 50 more
CVE-2021-26699
OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.
Open-xchange Open-xchange Appsuite=7.10.3
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5547
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5572
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5623
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5653
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5677
and 50 more
CVE-2021-37402
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.
Open-xchange Open-xchange Appsuite=7.10.3
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5547
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5572
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5623
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5653
Open-xchange Open-xchange Appsuite=7.10.3-patch_release5677
and 50 more
CVE-2020-28945
OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item.
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2021-31935
OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view.
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2021-31934
OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone.
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2020-28943
OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2021-23936
OX App Suite through 7.10.4 allows XSS via the subject of a task.
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2021-23935
OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2021-23933
OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2021-23928
OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2021-23927
OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2021-23930
OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2021-23934
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2021-23931
OX App Suite through 7.10.4 allows XSS via an inline binary file.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2020-24700
OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2020-24701
OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).
Open-xchange Open-xchange Appsuite<=7.10.4
CVE-2020-15003
OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access).
Open-xchange Open-xchange Appsuite=7.10.2
Open-xchange Open-xchange Appsuite=7.10.3
CVE-2020-15004
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.
Open-xchange Open-xchange Appsuite=7.10.2
Open-xchange Open-xchange Appsuite=7.10.3
CVE-2020-12645
OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.
Open-xchange Open-xchange Appsuite>=7.10.1<=7.10.3
CVE-2020-12644
OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2020-12646
Open-xchange Open-xchange Appsuite<=7.10.3
CVE-2020-8541
OX App Suite through 7.10.3 allows XXE attacks.
Open-xchange Open-xchange Appsuite=7.10.1
Open-xchange Open-xchange Appsuite=7.10.1-rev1
Open-xchange Open-xchange Appsuite=7.10.1-rev2
Open-xchange Open-xchange Appsuite=7.10.1-rev3
Open-xchange Open-xchange Appsuite=7.10.1-rev4
Open-xchange Open-xchange Appsuite=7.10.1-rev5
and 10 more
CVE-2020-8544
OX App Suite through 7.10.3 allows SSRF.
Open-xchange Open-xchange Appsuite=7.8.4
Open-xchange Open-xchange Appsuite=7.8.4-rev1
Open-xchange Open-xchange Appsuite=7.8.4-rev10
Open-xchange Open-xchange Appsuite=7.8.4-rev11
Open-xchange Open-xchange Appsuite=7.8.4-rev12
Open-xchange Open-xchange Appsuite=7.8.4-rev13
and 119 more
CVE-2020-8542
OX App Suite through 7.10.3 allows XSS.
Open-xchange Open-xchange Appsuite=7.10.1
Open-xchange Open-xchange Appsuite=7.10.1-rev1
Open-xchange Open-xchange Appsuite=7.10.1-rev10
Open-xchange Open-xchange Appsuite=7.10.1-rev11
Open-xchange Open-xchange Appsuite=7.10.1-rev12
Open-xchange Open-xchange Appsuite=7.10.1-rev13
and 48 more
CVE-2020-8543
OX App Suite through 7.10.3 has Improper Input Validation.
Open-xchange Open-xchange Appsuite=7.8.4
Open-xchange Open-xchange Appsuite=7.8.4-rev1
Open-xchange Open-xchange Appsuite=7.8.4-rev10
Open-xchange Open-xchange Appsuite=7.8.4-rev11
Open-xchange Open-xchange Appsuite=7.8.4-rev12
Open-xchange Open-xchange Appsuite=7.8.4-rev13
and 119 more
CVE-2019-18846
OX App Suite through 7.10.2 allows SSRF.
Open-xchange Open-xchange Appsuite<=7.10.2
CVE-2014-5236
Open-xchange Open-xchange Appsuite<=7.4.1
Open-xchange Open-xchange Appsuite=7.4.2
Open-xchange Open-xchange Appsuite=7.4.2-revision1
Open-xchange Open-xchange Appsuite=7.4.2-revision10
Open-xchange Open-xchange Appsuite=7.4.2-revision2
Open-xchange Open-xchange Appsuite=7.4.2-revision3
and 15 more
CVE-2014-5238
XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impa...
Open-xchange Open-xchange Appsuite<=7.4.1
Open-xchange Open-xchange Appsuite=7.4.2
Open-xchange Open-xchange Appsuite=7.4.2-revision1
Open-xchange Open-xchange Appsuite=7.4.2-revision10
Open-xchange Open-xchange Appsuite=7.4.2-revision2
Open-xchange Open-xchange Appsuite=7.4.2-revision3
and 15 more
CVE-2019-16717
OX App Suite through 7.10.2 has XSS.
Open-xchange Open-xchange Appsuite<=7.10.2
CVE-2019-16716
OX App Suite through 7.10.2 has Incorrect Access Control.
Open-xchange Open-xchange Appsuite<=7.10.2
CVE-2013-7486
Open-xchange Open-xchange Appsuite=7.2.2
Open-xchange Open-xchange Appsuite=7.4.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203