Vulnerabilities (CVE)

Vendor filter

Open-xchange Subscribe

Product filter

Open-xchange Appsuite Subscribe

Filter

91 total CVE
CVE Vendors Products Updated CVSS
CVE-2014-1679 1 Open-xchange 1 Open-xchange Appsuite 2017-08-29 4.3
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file.
CVE-2013-7143 1 Open-xchange 1 Open-xchange Appsuite 2017-08-29 4.3
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 allows remote attackers to inject arbitrary web script or HTML via the title in a mail filter rule.
CVE-2013-7142 1 Open-xchange 1 Open-xchange Appsuite 2017-08-29 4.3
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified oAuth API functions.
CVE-2013-7141 1 Open-xchange 1 Open-xchange Appsuite 2017-08-29 4.3
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to crafted "<%" tags.
CVE-2013-7140 1 Open-xchange 1 Open-xchange Appsuite 2017-08-29 4.0
XML External Entity (XXE) vulnerability in the CalDAV interface in Open-Xchange (OX) AppSuite 7.4.1 and earlier allows remote authenticated users to read portions of arbitrary files via vectors related to the SAX builder and the WebDAV interface....
CVE-2013-6074 1 Open-xchange 1 Open-xchange Appsuite 2017-08-29 4.3
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14 allows remote attackers to inject arbitrary web script or HTML via an attached SVG file.
CVE-2016-6852 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific...
CVE-2016-6842 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to...
CVE-2016-6843 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the...
CVE-2016-6844 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64...
CVE-2016-6845 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks...
CVE-2016-6850 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get executed when calling the related picture URL or...
CVE-2016-6848 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 1.9
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows)...
CVE-2016-6847 1 Open-xchange 1 Open-xchange Appsuite 2016-12-16 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when calling the related cover URL. Malicious script...
CVE-2013-6241 1 Open-xchange 1 Open-xchange Appsuite 2014-12-29 4.0
The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote...
CVE-2014-2393 1 Open-xchange 1 Open-xchange Appsuite 2014-04-24 4.3
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of...
CVE-2014-2392 1 Open-xchange 1 Open-xchange Appsuite 2014-04-24 4.3
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading...
CVE-2014-2391 1 Open-xchange 1 Open-xchange Appsuite 2014-04-24 4.3
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid...
CVE-2014-2077 1 Open-xchange 1 Open-xchange Appsuite 2014-03-24 4.3
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8 allows remote attackers to inject arbitrary web script or HTML via the subject of an email, involving 'the...
CVE-2013-5200 1 Open-xchange 1 Open-xchange Appsuite 2013-10-15 7.5
The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 do not require authentication, which allows remote attackers to obtain sensitive information or...