CVSS: 8.8EPSS: 0%CPEs: 40EXPL: 0CVE-2023-29048
https://notcve.org/view.php?id=CVE-2023-29048
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. Se podría abusar de un componente para analizar plantillas OXMF para ejecutar comandos arbitrarios del sistema que se ejecutarían como usuario de tiempo de ejecución sin privilegios. • http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html http://seclists.org/fulldisclosure/2024/Jan/3 https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24600
https://notcve.org/view.php?id=CVE-2023-24600
OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVSS: 4.3EPSS: 0%CPEs: 39EXPL: 0CVE-2023-24604
https://notcve.org/view.php?id=CVE-2023-24604
OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVSS: 6.1EPSS: 0%CPEs: 25EXPL: 0CVE-2023-24601
https://notcve.org/view.php?id=CVE-2023-24601
OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0CVE-2023-24598
https://notcve.org/view.php?id=CVE-2023-24598
OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •