Open-xchange Open-xchange Appsuite — known CVE vulnerabilities
Every CVE whose affected-product data names Open-xchange Open-xchange Appsuite, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVE-2020-12645 — CVSS 9.8 (critical): OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and…
CVE-2018-5752 — CVSS 8.8 (high): The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before…
CVE-2014-5238 — CVSS 7.8 (high): XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote…
CVE-2023-26452 — CVSS 7.6 (high): Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this…
CVE-2023-26454 — CVSS 7.6 (high): Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability…
CVE-2023-26453 — CVSS 7.6 (high): Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires…
CVE-2013-5200 — CVSS 7.5 (high): The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before…
CVE-2016-3174 — CVSS 7.4 (high): An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL…
CVE-2023-41704 — CVSS 7.1 (high): Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script…
CVE-2023-41705 — CVSS 6.5 (medium): Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing…
CVE-2018-5751 — CVSS 6.5 (medium): The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before…
CVE-2018-5753 — CVSS 6.5 (medium): The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4…
CVE-2017-17062 — CVSS 6.5 (medium): The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before…
CVE-2023-41707 — CVSS 6.5 (medium): Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing…
CVE-2018-9998 — CVSS 6.5 (medium): Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include…
CVE-2023-41706 — CVSS 6.5 (medium): Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached…
CVE-2021-23927 — CVSS 6.4 (medium): OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request.
CVE-2016-4045 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In…
CVE-2016-5124 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop…
CVE-2016-5740 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within…
CVE-2016-6842 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when…
CVE-2016-6843 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those…
CVE-2016-6844 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files…
CVE-2016-6845 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting…
CVE-2016-6847 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML…
CVE-2016-6850 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML…
CVE-2013-6242 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before…
CVE-2020-28945 — CVSS 6.1 (medium): OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as : OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an…
CVE-2022-37310 — CVSS 6.1 (medium): OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a…
CVE-2020-24701 — CVSS 6.1 (medium): OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).
CVE-2023-29043 — CVSS 6.1 (medium): Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed…
CVE-2023-41703 — CVSS 6.1 (medium): User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when…
CVE-2022-37309 — CVSS 6.1 (medium): OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.
CVE-2022-31469 — CVSS 6.1 (medium): OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.
CVE-2021-37403 — CVSS 6.1 (medium): OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link…
CVE-2021-37402 — CVSS 6.1 (medium): OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval…
CVE-2013-7485 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev26 and 7.4.x before 7.4.0-rev16…
CVE-2013-7486 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20…
CVE-2021-31935 — CVSS 6.1 (medium): OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the…
CVE-2021-31934 — CVSS 6.1 (medium): OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in…
CVE-2021-26698 — CVSS 6.1 (medium): OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link…
CVE-2015-1588 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and…
CVE-2021-23929 — CVSS 6.1 (medium): OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?…
CVE-2016-2840 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can…
CVE-2016-4026 — CVSS 6.1 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering…
CVE-2018-9997 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3…
CVE-2016-4046 — CVSS 5.8 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map…
CVE-2023-26455 — CVSS 5.6 (medium): RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access…
CVE-2018-5755 — CVSS 5.5 (medium): Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before…
CVE-2016-6848 — CVSS 5.5 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download…
CVE-2016-3173 — CVSS 5.4 (medium): An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to…
CVE-2018-5754 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before…
CVE-2020-24700 — CVSS 5.4 (medium): OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring.
CVE-2021-26699 — CVSS 5.4 (medium): OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the…
CVE-2022-29853 — CVSS 5.4 (medium): OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.
CVE-2023-29044 — CVSS 5.4 (medium): Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an…
CVE-2023-29045 — CVSS 5.4 (medium): Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could…
CVE-2023-41708 — CVSS 5.4 (medium): References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that…
CVE-2014-2078 — CVSS 5.3 (medium): The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email…
CVE-2023-29047 — CVSS 5.3 (medium): Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject…
CVE-2022-37313 — CVSS 5.3 (medium): OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.
CVE-2022-37312 — CVSS 5.3 (medium): OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer…
CVE-2022-37311 — CVSS 5.3 (medium): OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.
CVE-2013-2582 — CVSS 5.0 (medium): CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1…
CVE-2013-5035 — CVSS 4.9 (medium): Multiple race conditions in HtmlCleaner before 2.6, as used in Open-Xchange AppSuite 7.2.2 before rev13 and other products, allow remote…
CVE-2020-15003 — CVSS 4.3 (medium): OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user…
CVE-2014-5234 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16…
CVE-2014-2393 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote…
CVE-2014-2392 — CVSS 4.3 (medium): The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13…
CVE-2014-2391 — CVSS 4.3 (medium): The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an…
CVE-2014-8993 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and…
CVE-2013-3106 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev18, 6.22.0 before rev16, 6.22.1…
CVE-2016-4048 — CVSS 4.3 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify…
CVE-2018-5756 — CVSS 4.3 (medium): The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before…
CVE-2020-12643 — CVSS 4.3 (medium): OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.
CVE-2016-6852 — CVSS 4.3 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response…
CVE-2013-2583 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev16, 6.22.0 before rev15, 6.22.1…
CVE-2023-29046 — CVSS 4.3 (medium): Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those…
CVE-2014-5235 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16…
CVE-2014-2077 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8…
CVE-2014-1679 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before…
CVE-2013-7143 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML…
CVE-2013-7142 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web…
CVE-2013-7141 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web…
CVE-2013-6997 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (OX) AppSuite 7.4.0 and earlier allow remote attackers to inject…
CVE-2013-6074 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14 allows remote…
CVE-2015-5375 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App…
CVE-2016-4047 — CVSS 4.3 (medium): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd…
CVE-2013-6009 — CVSS 4.3 (medium): CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject…
CVE-2013-5936 — CVSS 4.3 (medium): The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 allows remote attackers to obtain…
CVE-2013-5935 — CVSS 4.3 (medium): The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 does not properly restrict the set…
CVE-2013-7140 — CVSS 4.0 (medium): XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated…
CVE-2014-9466 — CVSS 4.0 (medium): Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14 does not properly handle…
CVE-2013-6241 — CVSS 4.0 (medium): The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id…
CVE-2013-5934 — CVSS 4.0 (medium): Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 has a hardcoded password for node join operations, which allows…
CVE-2013-5698 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and Server before 6.22.0 rev16, 6.22.1 before rev19, 7.0.1 before rev7…
CVE-2013-5690 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite before 7.2.2 allow remote authenticated users to inject…
CVE-2013-4790 — CVSS 3.5 (low): Open-Xchange AppSuite before 7.0.2 rev14, 7.2.0 before rev11, 7.2.1 before rev10, and 7.2.2 before rev9 relies on user-supplied data to…
CVE-2016-4027 — CVSS 3.5 (low): An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store…