CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3173 – Open-Xchange OX AppSuite 7.8.0 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2016-3173
25 May 2016 — An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. • http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2840
https://notcve.org/view.php?id=CVE-2016-2840
04 Apr 2016 — An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustwor... • http://packetstormsecurity.com/files/136543/Open-Xchange-7.8.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5375
https://notcve.org/view.php?id=CVE-2015-5375
23 Sep 2015 — Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties. Vulnerabilidad de XSS en diálogos no especificados para imprimir contenido en el Front End en Open-Xchange Server 6 y OX App Suite en versiones anteriore... • http://packetstormsecurity.com/files/133674/Open-Xchange-Server-6-OX-AppSuite-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2015-1588
https://notcve.org/view.php?id=CVE-2015-1588
27 Apr 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server 6 and OX AppSuite before 7.4.2-rev43, 7.6.0-rev38, and 7.6.1-rev21. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Open-Xchange Server 6 y OX AppSuite, versiones anteriores a la 7.4.2-rev43, 7.6.0-rev38 y 7.6.1-rev21. • http://packetstormsecurity.com/files/131649/Open-Xchange-Server-6-OX-AppSuite-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9466
https://notcve.org/view.php?id=CVE-2014-9466
12 Feb 2015 — Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before 7.6.0-rev36, and 7.6.1 before 7.6.1-rev14 does not properly handle directory permissions, which allows remote authenticated users to read files via unspecified vectors, related to the "folder identifier." Open-Xchange (OX) AppSuite and Server anterior a 7.4.2-rev42, 7.6.0 anterior a 7.6.0-rev36, y 7.6.1 anterior a 7.6.1-rev14 no maneja correctamente los permisos de directorios, lo que permite a usuarios remotos autenticados leer ficheros... • http://packetstormsecurity.com/files/130379/Open-Xchange-Server-6-OX-AppSuite-7.6.1-Exposure.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2014-8993
https://notcve.org/view.php?id=CVE-2014-8993
05 Jan 2015 — Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type. Vulnerabilidad de XSS en el backend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev40, 7.6.0 anterior a 7.6.0-rev32, y 7.6.1 anterior a 7.6.1-rev11 permite a atacantes remotos inyectar secuencias de comandos web o HTML... • http://packetstormsecurity.com/files/129811/Open-Xchange-Server-6-OX-AppSuite-7.6.1-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2014-7871 – OX App Suite 7.6.0 SQL Injection
https://notcve.org/view.php?id=CVE-2014-7871
07 Nov 2014 — SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call. Vulnerabilidad de inyección SQL en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev36 y 7.6.x anterior a 7.6.0-rev23 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un llamada manipulada a la API jslob. OX App Suite versions 7.6.0 and below suffer from a remote SQL injec... • http://packetstormsecurity.com/files/129020/OX-App-Suite-7.6.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2014-5234
https://notcve.org/view.php?id=CVE-2014-5234
15 Sep 2014 — Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name. Vulnerabilidad cross-site scripting (XSS) en Backend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev33 y 7.6.x anterior a 7.6.0-rev16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la publicación del nombre de la carpeta. • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2014-5235
https://notcve.org/view.php?id=CVE-2014-5235
15 Sep 2014 — Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds. Vulnerabilidad de XSS en el Frontend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev33 y 7.6.x anterior a 7.6.0-rev16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con campos no especi... • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2014-5236
https://notcve.org/view.php?id=CVE-2014-5236
15 Sep 2014 — Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file. Múltiples vulnerabilidades de salto de ruta absoluto en documentconverter en Open-Xchange (OX) AppSuite versiones anteriores a 7.4.2-rev10 y versiones 7.6.x anteriores a 7.6.0-rev10, permiten a atacantes remotos leer archivo... • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •