CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6913
https://notcve.org/view.php?id=CVE-2017-6913
Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag. Una vulnerabilidad Cross-Site Scripting (XSS) en Open-Xchange webmail en versiones anteriores a la 7.6.3-rev28 permite que atacantes remotos inyecten scripts web o HTML mediante el atributo event en una etiqueta time. • https://github.com/gquere/CVE-2017-6913 https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_4133_7.6.3_2017-05-15.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 89EXPL: 0CVE-2018-9998 – OX App Suite 7.8.4 XSS / XML Injection / Information Disclosure
https://notcve.org/view.php?id=CVE-2018-9998
Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40, 7.8.3 before 7.8.3-rev48, and 7.8.4 before 7.8.4-rev28 include folder names in API error responses, which allows remote attackers to obtain sensitive information via the folder parameter in an "all" action to api/tasks. Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev37, versiones 7.8.x anteriores a la 7.8.2-rev40, versiones 7.8.3 anteriores a la 7.8.3-rev48 y versiones 7.8.4 anteriores a la 7.8.4-rev28 incluye los nombres de carpeta en las respuestas de error de la API. Esto permite que los atacantes remotos obtengan información sensible mediante el parámetro folder en una acción "all" en api/tasks. OX App Suite version 7.8.5 suffers from XML external entity injection, information disclosure, and cross site scripting vulnerabilities. • http://seclists.org/fulldisclosure/2018/Jul/12 http://www.securitytracker.com/id/1041213 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 77EXPL: 0CVE-2018-9997 – Open-Xchange OX Guard Cross Site Scripting / Signature Validation
https://notcve.org/view.php?id=CVE-2018-9997
Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets. Vulnerabilidad de Cross-Site Scripting (XSS) en mail compose en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev31, versiones 7.8.x anteriores a la 7.8.2-rev31, versiones 7.8.3 anteriores a la 7.8.3-rev41 y versiones 7.8.4 anteriores a la 7.8.4-rev28 permite que los atacantes remotos inyecten scripts web o HTML arbitrarios mediante el atributo data-target en una página HTML con gadgets data-toggle. Open-Xchange OX Guard versions 7.10.2 and below suffer from a cross site scripting vulnerability. Open-Xchange OX Guard versions 7.10.1 and below, 2.10.2 and below suffer from a signature validation vulnerability. • http://packetstormsecurity.com/files/154127/Open-Xchange-OX-Guard-Cross-Site-Scripting-Signature-Validation.html http://seclists.org/fulldisclosure/2018/Jul/12 http://www.securitytracker.com/id/1041213 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 69EXPL: 3CVE-2018-5753 – OX App Suite 7.8.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5753
The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address. El componente frontend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev31, versiones 7.8.x anteriores a la 7.8.2-rev31, versiones 7.8.3 anteriores a la 7.8.3-rev41 y versiones 7.8.4 anteriores a la 7.8.4-rev20 permite que atacantes remotos suplanten el origen de emails mediante caracteres unicode en la "parte personal" de una dirección (1) From o (2) Sender. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 3CVE-2018-5755 – OX App Suite 7.8.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5755
Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet. Vulnerabilidad de salto de directorio absoluto en el componente readerengine en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev3, versiones 7.8.x anteriores a la 7.8.2-rev4, versiones 7.8.3 anteriores a la 7.8.3-rev5 y versiones 7.8.4 anteriores a la 7.8.4-rev4 permite que atacantes remotos lean archivos arbitrarios mediante un nombre de ruta completo en una fórmula en una hoja de cálculo. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •