CVE-2023-24600
https://notcve.org/view.php?id=CVE-2023-24600
OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVE-2023-24604
https://notcve.org/view.php?id=CVE-2023-24604
OX App Suite before backend 7.10.6-rev37 does not check HTTP header lengths when downloading, e.g., potentially allowing a crafted iCal feed to provide an unlimited amount of header data. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVE-2023-24601
https://notcve.org/view.php?id=CVE-2023-24601
OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-24598
https://notcve.org/view.php?id=CVE-2023-24598
OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com •
CVE-2023-24602
https://notcve.org/view.php?id=CVE-2023-24602
OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. • http://seclists.org/fulldisclosure/2023/May/3 https://open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •