Vulnerabilities > Open Xchange > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-02 | CVE-2023-26446 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Frontend The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. | 5.4 |
| 2023-08-02 | CVE-2023-26447 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Frontend The "upsell" widget for the portal allows to specify a product description. | 5.4 |
| 2023-08-02 | CVE-2023-26448 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Frontend Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. | 5.4 |
| 2023-08-02 | CVE-2023-26449 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Frontend The "OX Chat" web service did not specify a media-type when processing responses by external resources. | 5.4 |
| 2023-08-02 | CVE-2023-26450 | Cross-site Scripting vulnerability in Open-Xchange Appsuite Frontend The "OX Count" web service did not specify a media-type when processing responses by external resources. | 5.4 |
| 2023-06-20 | CVE-2023-26428 | Authorization Bypass Through User-Controlled Key vulnerability in Open-Xchange Appsuite Backend Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. | 6.5 |
| 2023-06-20 | CVE-2023-26429 | Command Injection vulnerability in Open-Xchange Appsuite Backend Control characters were not removed when exporting user feedback content. | 5.3 |
| 2023-06-20 | CVE-2023-26431 | Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite Backend IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. | 4.3 |
| 2023-06-20 | CVE-2023-26432 | Unspecified vulnerability in Open-Xchange Appsuite Backend When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes. | 4.3 |
| 2023-06-20 | CVE-2023-26433 | Unspecified vulnerability in Open-Xchange Appsuite Backend When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. | 4.3 |