CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2014-8993
https://notcve.org/view.php?id=CVE-2014-8993
05 Jan 2015 — Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type. Vulnerabilidad de XSS en el backend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev40, 7.6.0 anterior a 7.6.0-rev32, y 7.6.1 anterior a 7.6.1-rev11 permite a atacantes remotos inyectar secuencias de comandos web o HTML... • http://packetstormsecurity.com/files/129811/Open-Xchange-Server-6-OX-AppSuite-7.6.1-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2014-7871 – OX App Suite 7.6.0 SQL Injection
https://notcve.org/view.php?id=CVE-2014-7871
07 Nov 2014 — SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call. Vulnerabilidad de inyección SQL en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev36 y 7.6.x anterior a 7.6.0-rev23 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un llamada manipulada a la API jslob. OX App Suite versions 7.6.0 and below suffer from a remote SQL injec... • http://packetstormsecurity.com/files/129020/OX-App-Suite-7.6.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2014-5234
https://notcve.org/view.php?id=CVE-2014-5234
15 Sep 2014 — Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name. Vulnerabilidad cross-site scripting (XSS) en Backend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev33 y 7.6.x anterior a 7.6.0-rev16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la publicación del nombre de la carpeta. • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2014-5235
https://notcve.org/view.php?id=CVE-2014-5235
15 Sep 2014 — Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds. Vulnerabilidad de XSS en el Frontend en Open-Xchange (OX) AppSuite anterior a 7.4.2-rev33 y 7.6.x anterior a 7.6.0-rev16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con campos no especi... • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2014-5236
https://notcve.org/view.php?id=CVE-2014-5236
15 Sep 2014 — Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file. Múltiples vulnerabilidades de salto de ruta absoluto en documentconverter en Open-Xchange (OX) AppSuite versiones anteriores a 7.4.2-rev10 y versiones 7.6.x anteriores a 7.6.0-rev10, permiten a atacantes remotos leer archivo... • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2014-5238
https://notcve.org/view.php?id=CVE-2014-5238
15 Sep 2014 — XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document. Una vulnerabilidad de tipo XML external entity (XXE) en Open-Xchange (OX) AppSuite versiones anteriores a 7.4.2-rev11 y versiones 7.6.x anteriores a 7.6.0-rev9, permite a atacantes remotos leer archivos arbitrarios y posiblemente otro impacto no especificado por medi... • http://packetstormsecurity.com/files/128257/Open-Xchange-7.6.0-XSS-SSRF-Traversal.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2391
https://notcve.org/view.php?id=CVE-2014-2391
08 Apr 2014 — The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potentially useful password-pattern information by reading (1) a web-server access log, (2) a web-server Referer log, or (3) browser history that contains this string because of its presence in a GET request. El servic... • http://www.securityfocus.com/archive/1/531762 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2392
https://notcve.org/view.php?id=CVE-2014-2392
08 Apr 2014 — The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. La funcionalidad de autoconfiguración de E-Mail en Open-Xchange AppSuite anterior a 7.2.2-rev20, 7.4.1 anterior a 7.4.1-rev11 y 7.4.2 anterior a 7.4.2-rev13 situa a contraseñas en u... • http://www.securityfocus.com/archive/1/531762 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2393
https://notcve.org/view.php?id=CVE-2014-2393
08 Apr 2014 — Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment. Vulnerabilidad de XSS en Open-Xchange AppSuite 7.4.1 anterior a 7.4.1-rev11 y 7.4.2 anterior a 7.4.2-rev13 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un nombre de archivo Drive que no est... • http://www.securityfocus.com/archive/1/531762 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2077
https://notcve.org/view.php?id=CVE-2014-2077
18 Mar 2014 — Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 7.4.1 before 7.4.1-rev10 and 7.4.2 before 7.4.2-rev8 allows remote attackers to inject arbitrary web script or HTML via the subject of an email, involving 'the aria "tags" for screenreaders at the top bar'. Vulnerabilidad de XSS en el Frontend en Open-Xchange (OX) AppSuite 7.4.1 anterior a 7.4.1-rev10 y 7.4.2 anterior a 7.4.2-rev8 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del asunto de un... • http://archives.neohapsis.com/archives/bugtraq/2014-03/0108.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •