Open-xchange appsuite

This hub aggregates every CVE we track for Open-xchange appsuite, a product in the communications space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Open-xchange appsuite.

• CVE-2023-41708References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. P...5.4Feb 12, 2024
• CVE-2023-41707Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. ...6.5Feb 12, 2024
• CVE-2023-41706Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high p...6.5Feb 12, 2024
• CVE-2023-41705Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. P...6.5Feb 12, 2024
• CVE-2023-41704Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interactin...7.1Feb 12, 2024
• CVE-2023-41703User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided...6.1Feb 12, 2024
• CVE-2023-29047Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements. An attacker with access to the adjacent...5.3Nov 2, 2023
• CVE-2023-29046Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endp...4.3Nov 2, 2023
• CVE-2023-29045Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for user...5.4Nov 2, 2023
• CVE-2023-29044Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively colla...5.4Nov 2, 2023
• CVE-2023-29043Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious...6.1Nov 2, 2023
• CVE-2023-26455RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI...5.6Nov 2, 2023
• CVE-2023-26454Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imagecon...7.6Nov 2, 2023
• CVE-2023-26453Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter...7.6Nov 2, 2023
• CVE-2023-26452Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networ...7.6Nov 2, 2023