CVSS: 5.3EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24597
https://notcve.org/view.php?id=CVE-2023-24597
09 May 2023 — OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. • http://seclists.org/fulldisclosure/2023/May/3 •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24598
https://notcve.org/view.php?id=CVE-2023-24598
09 May 2023 — OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-203: Observable Discrepancy •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24599
https://notcve.org/view.php?id=CVE-2023-24599
09 May 2023 — OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion." • http://seclists.org/fulldisclosure/2023/May/3 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24600
https://notcve.org/view.php?id=CVE-2023-24600
09 May 2023 — OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24601
https://notcve.org/view.php?id=CVE-2023-24601
09 May 2023 — OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24602
https://notcve.org/view.php?id=CVE-2023-24602
09 May 2023 — OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24603
https://notcve.org/view.php?id=CVE-2023-24603
09 May 2023 — OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data. • http://seclists.org/fulldisclosure/2023/May/3 •
CVSS: 4.3EPSS: 0%CPEs: 39EXPL: 0CVE-2023-24604
https://notcve.org/view.php?id=CVE-2023-24604
09 May 2023 — OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. • http://seclists.org/fulldisclosure/2023/May/3 •
CVSS: 4.2EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24605
https://notcve.org/view.php?id=CVE-2023-24605
09 May 2023 — OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. OX App Suite antes de la versión 7.10.6-rev37 no impone la verificación en dos pasos para todos los servicios finales, como por ejemplo: leer desde un dispositivo, leer datos de contacto y el cambio de nombre de símbolos. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 31EXPL: 1CVE-2022-37306
https://notcve.org/view.php?id=CVE-2022-37306
15 Feb 2023 — OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger. • http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •