Open-xchange Ox_app_suite

48 CVEs affecting Open-xchange Ox_app_suite. Latest disclosed: 2024-05-06. Critical: 3, High: 3.

Top CVEs affecting Open-xchange Ox_app_suite
CVESeverityScorePublishedSummary
CVE-2022-29851Critical9.82022-10-25documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occu…
CVE-2022-24405Critical9.82022-07-27OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.
CVE-2022-23100Critical9.82022-07-27OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).
CVE-2023-29048High8.82024-01-08A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users an…
CVE-2023-29051High8.12024-01-08User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default…
CVE-2023-29050High7.62024-01-08The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hi…
CVE-2024-23187Medium6.52024-05-06Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perfor…
CVE-2024-23186Medium6.52024-05-06E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform mal…
CVE-2023-24603Medium6.52023-05-29OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited am…
CVE-2022-24406Medium6.52022-07-27OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter…
CVE-2021-33491Medium6.52021-11-22OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses i…
CVE-2023-24602Medium6.12023-05-29OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title.
CVE-2023-24601Medium6.12023-05-29OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.
CVE-2022-37306Medium6.12023-04-16OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.
CVE-2022-43697Medium6.12023-04-15OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob.
CVE-2022-43696Medium6.12023-04-15OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.
CVE-2022-31468Medium6.12022-10-25OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.
CVE-2022-23101Medium6.12022-07-27OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message.
CVE-2021-44213Medium6.12022-03-28OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.
CVE-2021-44212Medium6.12022-03-28OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.