Summary
| Detail | |||
|---|---|---|---|
| Vendor | Open-Xchange | First view | 2016-12-15 |
| Product | Open-Xchange Appsuite | Last view | 2022-12-26 |
| Version | 7.6.3 | Type | Application |
| Update | rev28 | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:open-xchange:open-xchange_appsuite | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 5.3 | 2022-12-26 | CVE-2022-37313 | OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. |
| 5.3 | 2022-12-26 | CVE-2022-37312 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. |
| 5.3 | 2022-12-26 | CVE-2022-37311 | OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. |
| 6.1 | 2022-12-26 | CVE-2022-37310 | OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. |
| 6.1 | 2022-12-26 | CVE-2022-37309 | OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. |
| 6.1 | 2022-12-26 | CVE-2022-37308 | OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. |
| 6.1 | 2022-12-26 | CVE-2022-37307 | OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. |
| 6.1 | 2022-12-26 | CVE-2022-31469 | OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. |
| 5.4 | 2022-12-26 | CVE-2022-29853 | OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. |
| 5.4 | 2022-12-26 | CVE-2022-29852 | OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. |
| 6.1 | 2021-05-03 | CVE-2020-28945 | OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as  that is mishandled in the scheduling view. |
| 6.1 | 2021-04-30 | CVE-2021-31934 | OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone. |
| 6.5 | 2021-04-30 | CVE-2020-28943 | OX App Suite 7.10.4 and earlier allows SSRF via a snippet. |
| 6.1 | 2021-01-12 | CVE-2021-23936 | OX App Suite through 7.10.4 allows XSS via the subject of a task. |
| 6.1 | 2021-01-12 | CVE-2021-23935 | OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. |
| 6.1 | 2021-01-12 | CVE-2021-23934 | OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. |
| 6.1 | 2021-01-12 | CVE-2021-23933 | OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. |
| 6.1 | 2021-01-12 | CVE-2021-23932 | OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. |
| 6.1 | 2021-01-12 | CVE-2021-23931 | OX App Suite through 7.10.4 allows XSS via an inline binary file. |
| 6.1 | 2021-01-12 | CVE-2021-23930 | OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. |
| 6.1 | 2021-01-12 | CVE-2021-23929 | OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/ |
| 6.1 | 2021-01-12 | CVE-2021-23928 | OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. |
| 6.4 | 2021-01-12 | CVE-2021-23927 | OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. |
| 6.1 | 2021-01-12 | CVE-2020-24701 | OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI). |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 63% (48) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 11% (9) | CWE-200 | Information Exposure |
| 3% (3) | CWE-284 | Access Control (Authorization) Issues |
| 3% (3) | CWE-20 | Improper Input Validation |
| 2% (2) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
| 1% (1) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 1% (1) | CWE-639 | Access Control Bypass Through User-Controlled Key |
| 1% (1) | CWE-611 | Information Leak Through XML External Entity File Disclosure |
| 1% (1) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| 1% (1) | CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| 1% (1) | CWE-281 | Improper Preservation of Permissions |
| 1% (1) | CWE-276 | Incorrect Default Permissions |
| 1% (1) | CWE-275 | Permission Issues |
| 1% (1) | CWE-269 | Improper Privilege Management |
| 1% (1) | CWE-254 | Security Features |
| 1% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2018-05-15 | Name: The remote Virtuozzo host is missing multiple security updates. File: Virtuozzo_VZA-2018-029.nasl - Type: ACT_GATHER_INFO |
