Open-xchange appsuite backend

This hub aggregates every CVE we track for Open-xchange appsuite backend, a product in the communications space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 14 most recently published vulnerabilities affecting Open-xchange appsuite backend.

• CVE-2023-26451Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be ...7.5Aug 2, 2023
• CVE-2023-26443Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but could po...5.5Aug 2, 2023
• CVE-2023-26438External service lookups for a number of protocols were vulnerable to a time-of-check/time-of-use (TOCTOU) weakness, involving the JDK DNS cache. Attackers that were timing DNS cache expiry correct...4.3Aug 2, 2023
• CVE-2023-26430Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. This could be abused to access SIEVE extension that are not allowed by App Suite or to inj...3.5Aug 2, 2023
• CVE-2023-26436Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted ...7.1Jun 20, 2023
• CVE-2023-26435It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Attackers could discover restricted network topology and services as ...5.0Jun 20, 2023
• CVE-2023-26434When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes. Attacker with access to a rogue POP3 service could trigger requests that lead t...4.3Jun 20, 2023
• CVE-2023-26433When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes. Attacker with access to a rogue IMAP service could trigger requests that lead t...4.3Jun 20, 2023
• CVE-2023-26432When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes. Attacker with access to a rogue SMTP service could trigger requests that lead t...4.3Jun 20, 2023
• CVE-2023-26431IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functio...5.0Jun 20, 2023
• CVE-2023-26429Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. W...3.5Jun 20, 2023
• CVE-2023-26428Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explic...6.5Jun 20, 2023
• CVE-2023-26427Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during ...3.2Jun 20, 2023
• CVE-2016-6846Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 bef...6.1Mar 29, 2017