CVE-2021-28095
https://notcve.org/view.php?id=CVE-2021-28095
OX Documents before 7.10.5-rev5 has Incorrect Access Control for documents that contain XML structures because hash collisions can occur, due to use of CRC32. OX Documents versiones anteriores a 7.10.5-rev5, presenta un Control de Acceso Incorrecto para los documentos que contienen estructuras XML porque pueden ocurrir colisiones de hash, debido al uso de CRC32 • http://packetstormsecurity.com/files/163569/OX-Documents-7.10.5-Improper-Authorization.html http://seclists.org/fulldisclosure/2021/Jul/37 https://www.open-xchange.com • CWE-326: Inadequate Encryption Strength •
CVE-2021-28093
https://notcve.org/view.php?id=CVE-2021-28093
OX Documents before 7.10.5-rev5 has Incorrect Access Control of converted images because hash collisions can occur, due to use of Adler32. OX Documents versiones anteriores a 7.10.5-rev5, presenta un Control de Acceso Incorrecto de imágenes convertidas porque pueden ocurrir colisiones de hash, debido al uso de Adler32 • http://packetstormsecurity.com/files/163569/OX-Documents-7.10.5-Improper-Authorization.html http://seclists.org/fulldisclosure/2021/Jul/37 https://www.open-xchange.com • CWE-326: Inadequate Encryption Strength •
CVE-2021-26699 – OX App Suite / OX Guard / OX Documents SSRF / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-26699
OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used. OX App Suite versiones anteriores a 7.10.3-rev4 y 7.10.4 versiones anteriores a 7.10.4-rev4, permite un ataque de tipo SSRF por medio de un documento SVG compartido que es manejado inapropiadamente por el componente imageconverter cuando la extensión .png es usada Open-Xchange OX App Suite, OX Guard, and OX Documents suffer from server-side request forgery and cross site scripting vulnerabilities. Some of these issues only affect version 7.10.3 while some affect 7.10.4 and earlier. • http://packetstormsecurity.com/files/163527/OX-App-Suite-OX-Guard-OX-Documents-SSRF-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2021/Jul/33 https://seclists.org/fulldisclosure/2021/Jul/33 https://www.open-xchange.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2021-26698 – OX App Suite / OX Guard / OX Documents SSRF / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-26698
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used. OX App Suite versiones anteriores a 7.10.3-rev32 y versiones 7.10.4 anteriores a 7.10.4-rev18, permite un ataque de tipo XSS por medio de un fragmento de código (contenido generado por el usuario) cuando se crea un enlace para compartir y el parámetro dl es usado Open-Xchange OX App Suite, OX Guard, and OX Documents suffer from server-side request forgery and cross site scripting vulnerabilities. Some of these issues only affect version 7.10.3 while some affect 7.10.4 and earlier. • http://packetstormsecurity.com/files/163527/OX-App-Suite-OX-Guard-OX-Documents-SSRF-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2021/Jul/33 https://www.open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-31934
https://notcve.org/view.php?id=CVE-2021-31934
OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone. OX App Suite versiones 7.10.4 y anteriores permiten un ataque de tipo XSS por medio de un objeto de contacto diseñado (carga útil en el campo position o company) que es manejado inapropiadamente en la Interfaz de Usuario App Suite en un teléfono inteligente. • https://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •