CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2078
https://notcve.org/view.php?id=CVE-2014-2078
The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email addresses in opportunistic circumstances by leveraging a failure in e-mail auto configuration for external accounts. El backend en Open-Xchange (OX) AppSuite, en versiones 7.4.2 anteriores a la 7.4.2-rev9, permite que atacantes remotos obtengan información sensible sobre direcciones de email de usuarios en circunstancias oportunistas aprovechando un error en la autoconfiguración de email para cuentas externas. • http://www.securityfocus.com/archive/1/531502/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/92017 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2016-6846
https://notcve.org/view.php?id=CVE-2016-6846
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad XSS en Open-Xchange (OX) AppSuite backend en versiones anteriores a 7.6.2-rev59, 7.8.0 en versiones anteriores a 7.8.0-rev38, 7.8.2 en versiones anteriores a 7.8.2-rev8; interfaz AppSuite en versiones anteriores a 7.6.2-rev47, 7.8.0 en versiones anteriores a 7.8.0-rev30 y 7.8.2 en versiones anteriores a 7.8.2-rev8; Office Web en versiones anteriores a 7.6.2-rev16, 7.8.0 en versiones anteriores a 7.8.0-rev10 y 7.8.2 en versiones anteriores a 7.8.2-rev5; y Documentconverter-API en versiones anteriores a 7.8.2-rev5 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios. • http://software.open-xchange.com/OX6/doc/Release_Notes_for_Patch_Release_3520_7.8.0_2016-08-29.pdf http://www.securityfocus.com/bid/93457 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3518_7.6.2_2016-08-29.pdf https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4047
https://notcve.org/view.php?id=CVE-2016-4047
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4026
https://notcve.org/view.php?id=CVE-2016-4026
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6852
https://notcve.org/view.php?id=CVE-2016-6852
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. Ha sido descubierto un problema en Open-Xchange OX App Suite en versiones anteriores a 7.8.2-rev8. Usuarios pueden proporcionar rutas de archivo locales para el lector RSS; la respuesta y el código de error dan sugerencias sobre si el archivo proporcionado existe o no. • http://www.securityfocus.com/bid/93459 https://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Patch_Release_3522_7.8.2_2016-08-29.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •