Skip to main content

Open Xchange Appsuite Backend

14 CVEs product

Monthly

CVE-2023-26451 HIGH This Week

Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Open Xchange Appsuite Backend
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-26443 CRITICAL Act Now

Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Open Xchange Appsuite Backend
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-26438 LOW Monitor

External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
CVSS 3.1
3.1
EPSS
0.5%
CVE-2023-26430 MEDIUM This Month

Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Open Xchange Appsuite Backend
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-26436 HIGH This Week

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Java RCE Code Injection Deserialization Open Xchange Appsuite Backend
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2023-26435 MEDIUM This Month

It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
CVSS 3.1
5.0
EPSS
0.8%
CVE-2023-26434 MEDIUM This Month

When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Open Xchange Appsuite Backend
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2023-26433 MEDIUM This Month

When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Open Xchange Appsuite Backend
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2023-26432 MEDIUM This Month

When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Open Xchange Appsuite Backend
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2023-26431 MEDIUM This Month

IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2023-26429 MEDIUM This Month

Control characters were not removed when exporting user feedback content. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Open Xchange Appsuite Backend
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-26428 MEDIUM This Month

Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Open Xchange Appsuite Backend
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-26427 LOW Monitor

Default permissions for a properties file were too permissive. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Open Xchange Appsuite Backend
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2016-6846 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Microsoft Documentconverter Api Office Web Open Xchange Appsuite Backend +1
NVD
CVSS 3.0
6.1
EPSS
0.3%
EPSS 1% CVSS 7.5
HIGH This Week

Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Open Xchange Appsuite Backend
NVD
EPSS 0% CVSS 3.1
LOW Monitor

External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Java RCE Code Injection +2
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Control characters were not removed when exporting user feedback content. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Open Xchange Appsuite Backend
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Open Xchange Appsuite Backend
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Default permissions for a properties file were too permissive. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Open Xchange Appsuite Backend
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Microsoft Documentconverter Api +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy