Filtered by vendor Open-xchange
Subscribe
Total
254 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4367 | 3 Debian, Mozilla, Open-xchange | 4 Debian Linux, Firefox, Thunderbird and 1 more | 2025-04-24 | N/A | 8.8 HIGH |
| A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. | |||||
| CVE-2015-1588 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21. | |||||
| CVE-2016-6846 | 1 Open-xchange | 4 Documentconverter-api, Office Web, Open-xchange Appsuite Backend and 1 more | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2022-29853 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.4 MEDIUM |
| OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. | |||||
| CVE-2022-29852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.4 MEDIUM |
| OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. | |||||
| CVE-2022-37313 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.3 MEDIUM |
| OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | |||||
| CVE-2022-37312 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.3 MEDIUM |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | |||||
| CVE-2022-37311 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.3 MEDIUM |
| OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | |||||
| CVE-2022-37310 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
| OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | |||||
| CVE-2022-37309 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
| OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. | |||||
| CVE-2022-37308 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
| OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | |||||
| CVE-2022-37307 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
| OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | |||||
| CVE-2022-31469 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
| OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. | |||||
| CVE-2016-6853 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||
| CVE-2016-4045 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader of App Suite, code gets executed at the context of the user. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). The attacker needs to reside within the same context to make this attack work. | |||||
| CVE-2016-6854 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||
| CVE-2014-2393 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment. | |||||
| CVE-2014-1679 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file. | |||||
| CVE-2016-6844 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||
| CVE-2016-6850 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or viewing the related person's image within a browser. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | |||||