CVSS: 9.0EPSS: 0%CPEs: 40EXPL: 0CVE-2023-29048
https://notcve.org/view.php?id=CVE-2023-29048
08 Jan 2024 — A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. Se podría abusar de un componente par... • http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24597
https://notcve.org/view.php?id=CVE-2023-24597
09 May 2023 — OX App Suite before frontend 7.10.6-rev24 allows the loading (without user consent) of an e-mail message's remote resources during printing. • http://seclists.org/fulldisclosure/2023/May/3 •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24598
https://notcve.org/view.php?id=CVE-2023-24598
09 May 2023 — OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-203: Observable Discrepancy •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24599
https://notcve.org/view.php?id=CVE-2023-24599
09 May 2023 — OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion." • http://seclists.org/fulldisclosure/2023/May/3 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24600
https://notcve.org/view.php?id=CVE-2023-24600
09 May 2023 — OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24601
https://notcve.org/view.php?id=CVE-2023-24601
09 May 2023 — OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24602
https://notcve.org/view.php?id=CVE-2023-24602
09 May 2023 — OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24603
https://notcve.org/view.php?id=CVE-2023-24603
09 May 2023 — OX App Suite before backend 7.10.6-rev37 does not check size limits when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of data. • http://seclists.org/fulldisclosure/2023/May/3 •
CVSS: 4.3EPSS: 0%CPEs: 39EXPL: 0CVE-2023-24604
https://notcve.org/view.php?id=CVE-2023-24604
09 May 2023 — OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. • http://seclists.org/fulldisclosure/2023/May/3 •
CVSS: 4.2EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24605
https://notcve.org/view.php?id=CVE-2023-24605
09 May 2023 — OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. OX App Suite antes de la versión 7.10.6-rev37 no impone la verificación en dos pasos para todos los servicios finales, como por ejemplo: leer desde un dispositivo, leer datos de contacto y el cambio de nombre de símbolos. • http://seclists.org/fulldisclosure/2023/May/3 • CWE-862: Missing Authorization •