CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-26456
https://notcve.org/view.php?id=CVE-2023-26456
02 Nov 2023 — Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known. • https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28944 – OX App Suite / OX Guard SSRF / DoS / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-28944
30 Apr 2021 — OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data. OX Guard vesiones 2.10.4 y anteriores permiten una Denegación de Servicio por medio de un servidor WKS que responde lentamente o con una gran cantidad de datos. OX App Suite versions 7.10.4 and below suffer from cross site scripting and server-side request forgery vulnerabilities. OX Guard versions 2.10.4 and below suffer from a denial of service vulnerability. • http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4028
https://notcve.org/view.php?id=CVE-2016-4028
15 Dec 2016 — An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials.... • http://www.securityfocus.com/archive/1/538732/100/0/threaded • CWE-255: Credentials Management Errors •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2016-6851 – Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6851
13 Sep 2016 — An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the same domain already... • https://www.exploit-db.com/exploits/40377 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2016-6853 – Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6853
13 Sep 2016 — An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. • https://www.exploit-db.com/exploits/40377 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2016-6854 – Open-Xchange Guard 2.4.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-6854
13 Sep 2016 — An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Ha sido descubierto un problema en Open-Xchange OX Guard en versiones anteriores a 2.4.2-rev5. • https://www.exploit-db.com/exploits/40377 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8542
https://notcve.org/view.php?id=CVE-2015-8542
03 Mar 2016 — An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when acces... • http://packetstormsecurity.com/files/136069/Open-Xchange-Guard-2.2.0-2.0-Private-Key-Disclosure.html • CWE-320: Key Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7385
https://notcve.org/view.php?id=CVE-2015-7385
17 Nov 2015 — Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in "Guard PGP Settings." Vulnerabilidad de XSS en Open-Xchange OX Guard en versiones anteriores a 2.0.0-rev11 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el campo uid en una clave pública PGP, lo que no es manejado adecuadamente en 'Guard PGP S... • http://packetstormsecurity.com/files/134415/Open-Xchange-Guard-2.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •