Vulnerabilities > Open Xchange > Open Xchange Appsuite Backend > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-02 | CVE-2023-26430 | Command Injection vulnerability in Open-Xchange Appsuite Backend 7.10.6/8.10.0 Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. | 4.3 |
| 2023-06-20 | CVE-2023-26428 | Authorization Bypass Through User-Controlled Key vulnerability in Open-Xchange Appsuite Backend Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. | 6.5 |
| 2023-06-20 | CVE-2023-26429 | Command Injection vulnerability in Open-Xchange Appsuite Backend Control characters were not removed when exporting user feedback content. | 5.3 |
| 2023-06-20 | CVE-2023-26431 | Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite Backend IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. | 4.3 |
| 2023-06-20 | CVE-2023-26432 | Unspecified vulnerability in Open-Xchange Appsuite Backend When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes. | 4.3 |
| 2023-06-20 | CVE-2023-26433 | Unspecified vulnerability in Open-Xchange Appsuite Backend When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. | 4.3 |
| 2023-06-20 | CVE-2023-26434 | Unspecified vulnerability in Open-Xchange Appsuite Backend When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes. | 4.3 |
| 2023-06-20 | CVE-2023-26435 | Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite Backend It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. | 5.0 |
| 2017-03-29 | CVE-2016-6846 | Cross-site Scripting vulnerability in Open-Xchange products Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML. | 4.3 |