Search
Total
17 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26454 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 8.8 HIGH |
| Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. | |||||
| CVE-2023-26455 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 7.8 HIGH |
| RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known. | |||||
| CVE-2023-29047 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 7.3 HIGH |
| Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account. None No publicly available exploits are known. | |||||
| CVE-2023-26452 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 8.8 HIGH |
| Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. | |||||
| CVE-2023-26453 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 8.8 HIGH |
| Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. | |||||
| CVE-2020-8543 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| OX App Suite through 7.10.3 has Improper Input Validation. | |||||
| CVE-2019-11521 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-08-24 | 5.8 MEDIUM | 8.1 HIGH |
| OX App Suite 7.10.1 allows Content Spoofing. | |||||
| CVE-2019-7159 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| OX App Suite 7.10.1 and earlier allows Information Exposure. | |||||
| CVE-2014-5236 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-02-06 | 5.0 MEDIUM | 7.5 HIGH |
| Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file. | |||||
| CVE-2014-5238 | 1 Open-xchange | 1 Open-xchange Appsuite | 2020-01-28 | 6.8 MEDIUM | 7.8 HIGH |
| XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document. | |||||
| CVE-2019-14226 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-10-17 | 5.5 MEDIUM | 8.1 HIGH |
| OX App Suite through 7.10.2 has Insecure Permissions. | |||||
| CVE-2017-5211 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 5.0 MEDIUM | 7.5 HIGH |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Content Spoofing. | |||||
| CVE-2017-6912 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 6.5 MEDIUM | 8.8 HIGH |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | |||||
| CVE-2017-8340 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-23 | 6.5 MEDIUM | 8.8 HIGH |
| Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incorrect Access Control. | |||||
| CVE-2017-12884 | 1 Open-xchange | 1 Open-xchange Appsuite | 2019-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| OX Software GmbH App Suite 7.8.4 and earlier is affected by: Information Exposure. | |||||
| CVE-2016-3174 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-10-19 | 4.3 MEDIUM | 7.4 HIGH |
| An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks. | |||||
| CVE-2018-5752 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-08-03 | 6.5 MEDIUM | 8.8 HIGH |
| The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses. | |||||