| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties. |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Attackers can use this issue for filter evasion to inject script code later on. |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type. |
| SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call. |
| The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote authenticated users to obtain sensitive birthday, displayname, firstname, and surname information via a birthdays action to api/contacts, aka bug 29315. |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can be abused to inject arbitrary text messages. Users may get tricked to follow instructions injected by third parties as part of social engineering attacks. |
| Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds. |
| Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name. |
| Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment. |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account. |
| The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 allows remote attackers to obtain sensitive information about (1) runtime activity, (2) network configuration, (3) user sessions, (4) the memcache interface, and (5) the REST interface via API calls such as a hazelcast/rest/cluster/ call, a different vulnerability than CVE-2013-5200. |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev18, 6.22.0 before rev16, 6.22.1 before rev19, 7.0.1 before rev7, 7.0.2 before rev11, and 7.2.0 before rev8 allow remote attackers to inject arbitrary web script or HTML via (1) embedded VBScript, (2) object/data Base64 content, (3) a Content-Type header, or (4) UTF-16 encoding, aka Bug IDs 25957, 26237, 26243, and 26244. |
| The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 does not properly restrict the set of network interfaces that can receive API calls, which makes it easier for remote attackers to obtain access by sending network traffic from an unintended location, a different vulnerability than CVE-2013-5200. |
| Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 has a hardcoded password for node join operations, which allows remote attackers to expand a cluster by finding this password in the source code and then sending the password in a Hazelcast cluster API call, a different vulnerability than CVE-2013-5200. |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev16, 6.22.0 before rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allow remote attackers to inject arbitrary web script or HTML via (1) a javascript: URL, (2) malformed nested SCRIPT elements, (3) a mail signature, or (4) JavaScript code within an image file. |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule. |
| Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and Server before 6.22.0 rev16, 6.22.1 before rev19, 7.0.1 before rev7, 7.0.2 before rev11, and 7.2.0 before rev8 allows remote authenticated users to inject arbitrary web script or HTML via a delivery=view action, aka Bug ID 26373, a different vulnerability than CVE-2013-3106. |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions. |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%" tags. |
