Open-xchange Open-xchange Appsuite Backend — known CVE vulnerabilities
Every CVE whose affected-product data names Open-xchange Open-xchange Appsuite Backend, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2023-26451 — CVSS 7.5 (high): Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service…
CVE-2023-26436 — CVSS 7.1 (high): Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during…
CVE-2023-26428 — CVSS 6.5 (medium): Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of…
CVE-2016-6846 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before…
CVE-2023-26443 — CVSS 5.5 (medium): Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this…
CVE-2023-26435 — CVSS 5.0 (medium): It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Attackers…
CVE-2023-26431 — CVSS 5.0 (medium): IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user…
CVE-2023-26434 — CVSS 4.3 (medium): When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes. Attacker with access…
CVE-2023-26433 — CVSS 4.3 (medium): When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. Attacker with access…
CVE-2023-26432 — CVSS 4.3 (medium): When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes. Attacker with access…
CVE-2023-26438 — CVSS 4.3 (medium): External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS…
CVE-2023-26430 — CVSS 3.5 (low): Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. This could be abused to access…
CVE-2023-26429 — CVSS 3.5 (low): Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user…
CVE-2023-26427 — CVSS 3.2 (low): Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated…