National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:open-xchange:open-xchange_appsuite:7.0.1
There are 80 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2017-12885

OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Site Scripting (XSS).

Published: May 10, 2019; 11:29:00 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-13104

OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 (Bug ID)

Published: March 21, 2019; 12:00:17 PM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2018-13103

OX App Suite 7.8.4 and earlier allows SSRF.

Published: March 21, 2019; 12:00:17 PM -04:00
V3.0: 5.4 MEDIUM
    V2: 5.5 MEDIUM
CVE-2018-12611

OX App Suite 7.8.4 and earlier allows Directory Traversal.

Published: January 30, 2019; 10:29:03 AM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-12610

OX App Suite 7.8.4 and earlier allows Information Exposure.

Published: January 30, 2019; 10:29:03 AM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2018-12609

OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery.

Published: January 30, 2019; 10:29:03 AM -05:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2017-6913

Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.

Published: September 18, 2018; 04:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-9998

Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks.

Published: July 05, 2018; 04:29:00 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-9997

Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets.

Published: July 05, 2018; 04:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-5756

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks.

Published: June 15, 2018; 09:29:06 PM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-5755

Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet.

Published: June 15, 2018; 09:29:06 PM -04:00
V3.0: 5.5 MEDIUM
    V2: 7.1 HIGH
CVE-2018-5754

Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard.

Published: June 15, 2018; 09:29:06 PM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2018-5753

The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address.

Published: June 15, 2018; 09:29:06 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-5752

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses.

Published: June 15, 2018; 09:29:06 PM -04:00
V3.0: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2018-5751

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs.

Published: June 15, 2018; 09:29:06 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2017-17062

The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privilege management.

Published: June 15, 2018; 09:29:02 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2015-1588

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21.

Published: June 08, 2017; 05:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6852

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks.

Published: December 15, 2016; 01:59:23 AM -05:00
V3.0: 4.3 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6850

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).

Published: December 15, 2016; 01:59:21 AM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6848

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution.

Published: December 15, 2016; 01:59:20 AM -05:00
V3.0: 5.5 MEDIUM
    V2: 1.9 LOW