Open-xchange Ox_app_suite
48 CVEs affecting Open-xchange Ox_app_suite. Latest disclosed: 2024-05-06. Critical: 3, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-29851 | Critical | 9.8 | 2022-10-25 | documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occu… |
CVE-2022-24405 | Critical | 9.8 | 2022-07-27 | OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. |
CVE-2022-23100 | Critical | 9.8 | 2022-07-27 | OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). |
CVE-2023-29048 | High | 8.8 | 2024-01-08 | A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users an… |
CVE-2023-29051 | High | 8.1 | 2024-01-08 | User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default… |
CVE-2023-29050 | High | 7.6 | 2024-01-08 | The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hi… |
CVE-2024-23187 | Medium | 6.5 | 2024-05-06 | Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perfor… |
CVE-2024-23186 | Medium | 6.5 | 2024-05-06 | E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform mal… |
CVE-2023-24603 | Medium | 6.5 | 2023-05-29 | OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited am… |
CVE-2022-24406 | Medium | 6.5 | 2022-07-27 | OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter… |
CVE-2021-33491 | Medium | 6.5 | 2021-11-22 | OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses i… |
CVE-2023-24602 | Medium | 6.1 | 2023-05-29 | OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. |
CVE-2023-24601 | Medium | 6.1 | 2023-05-29 | OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. |
CVE-2022-37306 | Medium | 6.1 | 2023-04-16 | OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger. |
CVE-2022-43697 | Medium | 6.1 | 2023-04-15 | OX App Suite before 7.10.6-rev30 allows XSS via an activity tracking adapter defined by jslob. |
CVE-2022-43696 | Medium | 6.1 | 2023-04-15 | OX App Suite before 7.10.6-rev20 allows XSS via upsell ads. |
CVE-2022-31468 | Medium | 6.1 | 2022-10-25 | OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. |
CVE-2022-23101 | Medium | 6.1 | 2022-07-27 | OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message. |
CVE-2021-44213 | Medium | 6.1 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message. |
CVE-2021-44212 | Medium | 6.1 | 2022-03-28 | OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring. |