Vulnerabilities > Open Xchange
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-02 | CVE-2023-29046 | Resource Exhaustion vulnerability in Open-Xchange Appsuite Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. | 4.3 |
| 2023-11-02 | CVE-2023-29047 | SQL Injection vulnerability in Open-Xchange Appsuite Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. | 7.3 |
| 2023-08-02 | CVE-2023-26430 | Command Injection vulnerability in Open-Xchange Appsuite Backend 7.10.6/8.10.0 Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. | 4.3 |
| 2023-08-02 | CVE-2023-26438 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Open-Xchange Appsuite Backend 7.10.6/8.10.0 External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. | 3.1 |
| 2023-08-02 | CVE-2023-26439 | SQL Injection vulnerability in Open-Xchange Appsuite Office 7.8.3 The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. | 7.8 |
| 2023-08-02 | CVE-2023-26440 | SQL Injection vulnerability in Open-Xchange Appsuite Office 7.8.3 The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. | 7.8 |
| 2023-08-02 | CVE-2023-26441 | Path Traversal vulnerability in Open-Xchange Appsuite Office 7.8.3 Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. | 5.5 |
| 2023-08-02 | CVE-2023-26442 | Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite Office 7.8.3 In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. | 3.2 |
| 2023-08-02 | CVE-2023-26443 | SQL Injection vulnerability in Open-Xchange Appsuite Backend Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. | 9.8 |
| 2023-08-02 | CVE-2023-26445 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Frontend Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. | 5.4 |