CVSS: 6.5EPSS: 0%CPEs: 78EXPL: 3CVE-2018-5751 – OX App Suite 7.8.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-5751
08 Jun 2018 — The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the "groups" and "users" APIs. El componente backend en Open-Xchange OX App Suite en versiones anteriores a la 7.6.3-rev36, versiones 7.8.x anteriores a la 7.8.2-rev39, versiones 7.8.3 anteriores a la 7.8.3-rev44 y versiones 7.8.4 anteriores a ... • https://www.exploit-db.com/exploits/44881 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2078
https://notcve.org/view.php?id=CVE-2014-2078
10 Apr 2018 — The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allows remote attackers to obtain sensitive information about user email addresses in opportunistic circumstances by leveraging a failure in e-mail auto configuration for external accounts. El backend en Open-Xchange (OX) AppSuite, en versiones 7.4.2 anteriores a la 7.4.2-rev9, permite que atacantes remotos obtengan información sensible sobre direcciones de email de usuarios en circunstancias oportunistas aprovechando un error en la autoconfi... • http://www.securityfocus.com/archive/1/531502/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6842
https://notcve.org/view.php?id=CVE-2016-6842
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents settings. This requires the folder to be shared to the victim. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/bid/93457 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6843
https://notcve.org/view.php?id=CVE-2016-6843
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the context of the user which creates or changes the group by using autocomplete. In most cases this is a user with elevated permissions. Malicious script code can be executed within a user's context. • http://www.securityfocus.com/bid/93457 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6845
https://notcve.org/view.php?id=CVE-2016-6845
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. This allows an attacker to provide hyperlinks that may execute script code instead of directing to a proper location. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/bid/93457 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6844
https://notcve.org/view.php?id=CVE-2016-6844
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a" tags, this may include link targets with base64 encoded "data" references. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/bid/93457 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4047
https://notcve.org/view.php?id=CVE-2016-4047
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As a result an attacker can track access to a manipulated document. Usage of a document may get tracked and information about internal infrastructure may get exposed. • http://www.securityfocus.com/archive/1/538732/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4026
https://notcve.org/view.php?id=CVE-2016-4026
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such cases the filter will output a unsanitized representation of the content. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). • http://www.securityfocus.com/archive/1/538732/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6852
https://notcve.org/view.php?id=CVE-2016-6852
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on the middleware server to prepare further attacks. Ha sido descubierto un problema en Open-Xchange OX App Suite en versiones anteriores a 7.8.2-rev8. Usuarios pueden proporcionar rutas de archivo locales para el lector RSS; la respue... • http://www.securityfocus.com/bid/93459 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4046
https://notcve.org/view.php?id=CVE-2016-4046
15 Dec 2016 — An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of the operator. Users can inject arbitrary hosts and ports to API calls. Depending on the response type, content and latency, information about existence of hosts and services can be gathered. Attackers can get internal configuration information about the infrastructure of an operator to prepare subsequent attacks. • http://www.securityfocus.com/archive/1/538732/100/0/threaded • CWE-918: Server-Side Request Forgery (SSRF) •