Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ox_app_suite
(Open\-Xchange)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 45 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-01-08 | CVE-2023-29050 | The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known. | Ox_app_suite | 9.6 | ||
| 2022-07-27 | CVE-2022-24406 | OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls. | Ox_app_suite | 6.5 | ||
| 2023-05-29 | CVE-2023-24597 | OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. | Ox_app_suite | 5.3 | ||
| 2023-05-29 | CVE-2023-24598 | OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. | Ox_app_suite | 4.3 | ||
| 2023-05-29 | CVE-2023-24605 | OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | Ox_app_suite | 4.2 | ||
| 2023-05-29 | CVE-2023-24603 | OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data. | Ox_app_suite | 6.5 | ||
| 2023-05-29 | CVE-2023-24604 | OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. | Ox_app_suite | 4.3 | ||
| 2023-05-29 | CVE-2023-24599 | OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion." | Ox_app_suite | 4.3 | ||
| 2023-05-29 | CVE-2023-24600 | OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. | Ox_app_suite | 4.3 | ||
| 2023-05-29 | CVE-2023-24601 | OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | Ox_app_suite | 6.1 |