Page 15 of 135 results (0.005 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery. OX App Suite, en su versión 7.8.4 y anteriores, permite ataques de Server-Side Request Forgery (SSRF). Ox App Suite versions 7.8.4 and 7.8.3 suffer from cross site scripting, cross site request forgery, and information disclosure vulnerabilities. • http://seclists.org/fulldisclosure/2019/Jan/10 http://software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_4791_7.8.4_2018-06-25.pdf https://software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_4790_7.8.3_2018-06-25.pdf https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_4789_7.6.3_2018-06-25.pdf • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag. Una vulnerabilidad Cross-Site Scripting (XSS) en Open-Xchange webmail en versiones anteriores a la 7.6.3-rev28 permite que atacantes remotos inyecten scripts web o HTML mediante el atributo event en una etiqueta time. • https://github.com/gquere/CVE-2017-6913 https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_4133_7.6.3_2017-05-15.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 77EXPL: 0

Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets. Vulnerabilidad de Cross-Site Scripting (XSS) en mail compose en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev31, versiones 7.8.x anteriores a la 7.8.2-rev31, versiones 7.8.3 anteriores a la 7.8.3-rev41 y versiones 7.8.4 anteriores a la 7.8.4-rev28 permite que los atacantes remotos inyecten scripts web o HTML arbitrarios mediante el atributo data-target en una página HTML con gadgets data-toggle. Open-Xchange OX Guard versions 7.10.2 and below suffer from a cross site scripting vulnerability. Open-Xchange OX Guard versions 7.10.1 and below, 2.10.2 and below suffer from a signature validation vulnerability. • http://packetstormsecurity.com/files/154127/Open-Xchange-OX-Guard-Cross-Site-Scripting-Signature-Validation.html http://seclists.org/fulldisclosure/2018/Jul/12 http://www.securitytracker.com/id/1041213 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 89EXPL: 0

Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks. Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev37, versiones 7.8.x anteriores a la 7.8.2-rev40, versiones 7.8.3 anteriores a la 7.8.3-rev48 y versiones 7.8.4 anteriores a la 7.8.4-rev28 incluye los nombres de carpeta en las respuestas de error de la API. Esto permite que los atacantes remotos obtengan información sensible mediante el parámetro folder en una acción "all" en api/tasks. OX App Suite version 7.8.5 suffers from XML external entity injection, information disclosure, and cross site scripting vulnerabilities. • http://seclists.org/fulldisclosure/2018/Jul/12 http://www.securitytracker.com/id/1041213 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 78EXPL: 3

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks. El componente backend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev36, versiones 7.8.x anteriores a la 7.8.2-rev39, versiones 7.8.3 anteriores a la 7.8.3-rev44 y versiones 7.8.4 anteriores a la 7.8.4-rev22 no comprueba correctamente la asociación folder-to-object, lo que permite que usuarios autenticados remotos eliminen tareas arbitrarias mediante el id de tarea en una acción delete en api/tasks. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-269: Improper Privilege Management •