CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-26428
https://notcve.org/view.php?id=CVE-2023-26428
Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not explicitly shared with other users. No publicly available exploits are known. • http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html http://seclists.org/fulldisclosure/2023/Jun/8 https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-26427
https://notcve.org/view.php?id=CVE-2023-26427
Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during package installation. No publicly available exploits are known. • http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html http://seclists.org/fulldisclosure/2023/Jun/8 https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-922: Insecure Storage of Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 53EXPL: 1CVE-2022-31469 – OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption
https://notcve.org/view.php?id=CVE-2022-31469
OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. OX App Suite hasta 7.10.6 permite XSS a través de un enlace profundo, como lo demuestra class="deep-link-app" para un URI /#!!&app=%2e./. OX App Suite versions 7.10.6 and below suffer from cross site scripting, server-side request forgery, and resource exhaustion vulnerabilities. • https://open-xchange.com https://seclists.org/fulldisclosure/2022/Nov/18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 53EXPL: 1CVE-2022-37310 – OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption
https://notcve.org/view.php?id=CVE-2022-37310
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. OX App Suite hasta 7.10.6 permite XSS a través de una capacidad maliciosa para las métricas o el módulo de ayuda, como lo demuestra un URI /#!!&app=io.ox/files&cap=. OX App Suite versions 7.10.6 and below suffer from cross site scripting, server-side request forgery, and resource exhaustion vulnerabilities. • https://open-xchange.com https://seclists.org/fulldisclosure/2022/Nov/18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 53EXPL: 1CVE-2022-37309 – OX App Suite 7.10.6 Cross Site Scripting / SSRF / Resource Consumption
https://notcve.org/view.php?id=CVE-2022-37309
OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. OX App Suite hasta 7.10.6 permite XSS mediante código script dentro de un contacto que tiene una dirección de correo electrónico pero carece de nombre. OX App Suite versions 7.10.6 and below suffer from cross site scripting, server-side request forgery, and resource exhaustion vulnerabilities. • https://open-xchange.com https://seclists.org/fulldisclosure/2022/Nov/18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •