CVSS: 8.8EPSS: 0%CPEs: 78EXPL: 3CVE-2018-5752 – OX App Suite 7.8.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5752
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involving non-decimal representations of IP addresses and special IPv6 related addresses. El componente backend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev36, versiones 7.8.x anteriores a la 7.8.2-rev39, versiones 7.8.3 anteriores a la 7.8.3-rev44 y versiones 7.8.4 anteriores a la 7.8.4-rev22 permite que atacantes remotos realicen ataques de Server-Side Request Forgery (SSRF) mediante vectores relacionados con representaciones no decimales de direcciones IP y direcciones IPv6 relacionadas especiales. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 78EXPL: 3CVE-2018-5756 – OX App Suite 7.8.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5756
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users to delete arbitrary tasks via the task id in a delete action to api/tasks. El componente backend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev36, versiones 7.8.x anteriores a la 7.8.2-rev39, versiones 7.8.3 anteriores a la 7.8.3-rev44 y versiones 7.8.4 anteriores a la 7.8.4-rev22 no comprueba correctamente la asociación folder-to-object, lo que permite que usuarios autenticados remotos eliminen tareas arbitrarias mediante el id de tarea en una acción delete en api/tasks. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 3CVE-2018-5754 – OX App Suite 7.8.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5754
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard. Vulnerabilidad de Cross-Site Scripting (XSS) en el componente office-web en Open-Xchange OX App Suite en versiones anteriores a la 7.8.3-rev12 y versiones 7.8.4 anteriores a la 7.8.4-rev9 permite que atacantes remoto inyecten scripts web o HTML arbitrarios mediante un archivo de presentación manipulado. Esto está relacionado con la copia de contenidos al portapapeles. OX App Suite versions 7.8.4 and below suffer from cross site scripting, improper privilege management, content spoofing, server-side request forgery, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/44881 http://packetstormsecurity.com/files/148118/OX-App-Suite-7.8.4-XSS-Privilege-Management-SSRF-Traversal.html http://seclists.org/fulldisclosure/2018/Jun/23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2016-6846
https://notcve.org/view.php?id=CVE-2016-6846
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad XSS en Open-Xchange (OX) AppSuite backend en versiones anteriores a 7.6.2-rev59, 7.8.0 en versiones anteriores a 7.8.0-rev38, 7.8.2 en versiones anteriores a 7.8.2-rev8; interfaz AppSuite en versiones anteriores a 7.6.2-rev47, 7.8.0 en versiones anteriores a 7.8.0-rev30 y 7.8.2 en versiones anteriores a 7.8.2-rev8; Office Web en versiones anteriores a 7.6.2-rev16, 7.8.0 en versiones anteriores a 7.8.0-rev10 y 7.8.2 en versiones anteriores a 7.8.2-rev5; y Documentconverter-API en versiones anteriores a 7.8.2-rev5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios. • http://software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_3520_7.8.0_2016-08-29.pdf http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3518_7.6.2_2016-08-29.pdf https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6848
https://notcve.org/view.php?id=CVE-2016-6848
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. API requests can be used to inject, generate and download executable files to the client ("Reflected File Download"). Malicious platform specific (e.g. Microsoft Windows) batch file can be created via a trusted domain without authentication that, if executed by the user, may lead to local code execution. Ha sido descubierto un problema en Open-Xchange OX App Suite en versiones anteriores a 7.8.2-rev8. • http://www.securityfocus.com/bid/93460 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-254: 7PK - Security Features •