Page 28 of 175 results (0.005 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. • https://www.exploit-db.com/exploits/40378 http://packetstormsecurity.com/files/138700/Open-Xchange-App-Suite-7.8.2-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/539394/100/0/threaded http://www.securityfocus.com/bid/92922 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially crafted website and add it to HTML editor areas of OX App Suite, for example E-Mail Compose or OX Text. This specific attack circumvents typical XSS filters and detection mechanisms since the code is not loaded from an external service but injected locally. Malicious script code can be executed within a user's context. • http://packetstormsecurity.com/files/137894/Open-Xchange-App-Suite-7.8.1-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/538892/100/0/threaded http://www.securityfocus.com/bid/91775 http://www.securitytracker.com/id/1036296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. • http://packetstormsecurity.com/files/137599/Open-Xchange-App-Suite-7.8.1-Information-Disclosure.html http://www.securityfocus.com/archive/1/538732/100/0/threaded http://www.securitytracker.com/id/1036157 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be provided as redirection target. Users can be tricked to follow a link to a trustworthy domain but end up at an unexpected service later on. This vulnerability can be used to prepare and enhance phishing attacks. • http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/538481/100/0/threaded • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. • http://packetstormsecurity.com/files/137187/Open-Xchange-OX-AppSuite-7.8.0-XSS-Open-Redirect.html http://www.securityfocus.com/archive/1/538481/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •