Page 16 of 121 results (0.013 seconds)

CVSS: 6.5EPSS: 0%CPEs: 69EXPL: 3

The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal part" of a (1) From or (2) Sender address. El componente frontend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev31, versiones 7.8.x anteriores a la 7.8.2-rev31, versiones 7.8.3 anteriores a la 7.8.3-rev41 y versiones 7.8.4 anteriores a la 7.8.4-rev20 permite que atacantes remotos suplanten el origen de emails mediante caracteres unicode en la "parte personal" de una dirección (1) From o (2) Sender. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-20: Improper Input Validation •

CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 3

Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard. Vulnerabilidad de Cross-Site Scripting (XSS) en el componente office-web en Open-Xchange OX App Suite en versiones anteriores a la 7.8.3-rev12 y versiones 7.8.4 anteriores a la 7.8.4-rev9 permite que atacantes remoto inyecten scripts web o HTML arbitrarios mediante un archivo de presentación manipulado. Esto está relacionado con la copia de contenidos al portapapeles. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 78EXPL: 3

The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses. El componente backend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev36, versiones 7.8.x anteriores a la 7.8.2-rev39, versiones 7.8.3 anteriores a la 7.8.3-rev44 y versiones 7.8.4 anteriores a la 7.8.4-rev22 permite que atacantes remotos realicen ataques de Server-Side Request Forgery (SSRF) mediante vectores relacionados con representaciones no decimales de direcciones IP y direcciones IPv6 relacionadas especiales. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •