Vulnerabilities > Open Xchange
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-02 | CVE-2023-26456 | Cross-site Scripting vulnerability in Open-Xchange OX Guard Users were able to set an arbitrary "product name" for OX Guard. | 5.4 |
| 2023-11-02 | CVE-2023-29043 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. | 6.1 |
| 2023-11-02 | CVE-2023-29044 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Documents operations could be manipulated to contain invalid data types, possibly script code. | 5.4 |
| 2023-11-02 | CVE-2023-29045 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. | 5.4 |
| 2023-11-02 | CVE-2023-29046 | Resource Exhaustion vulnerability in Open-Xchange Appsuite Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. | 4.3 |
| 2023-11-02 | CVE-2023-29047 | SQL Injection vulnerability in Open-Xchange Appsuite Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. | 7.3 |
| 2023-08-02 | CVE-2023-26430 | Command Injection vulnerability in Open-Xchange Appsuite Backend 7.10.6/8.10.0 Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. | 4.3 |
| 2023-08-02 | CVE-2023-26438 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Open-Xchange Appsuite Backend 7.10.6/8.10.0 External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. | 3.1 |
| 2023-08-02 | CVE-2023-26439 | SQL Injection vulnerability in Open-Xchange Appsuite Office 7.8.3 The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. | 7.8 |
| 2023-08-02 | CVE-2023-26440 | SQL Injection vulnerability in Open-Xchange Appsuite Office 7.8.3 The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. | 7.8 |