Vulnerabilities in Open-Xchange GmbH
47 resultsCVE-2023-29050HIGHThe optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outsideEPSS 1.7%CVE-2023-29048HIGHA component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runEPSS 1.3%CVE-2024-23185HIGHVery large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the messEPSS 1.3%CVE-2024-23184MEDIUMHaving a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is alEPSS 0.8%CVE-2023-41705MEDIUMProcessing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load.EPSS 0.8%CVE-2023-41706MEDIUMProcessing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. AvEPSS 0.8%CVE-2023-41707MEDIUMProcessing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing loadEPSS 0.8%CVE-2023-29049MEDIUMThe "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromisedEPSS 0.6%CVE-2024-23186MEDIUME-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. AttackerEPSS 0.6%CVE-2025-30189HIGHWhen cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be usEPSS 0.6%CVE-2023-29051HIGHUser-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable theEPSS 0.5%CVE-2024-23193MEDIUME-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of theEPSS 0.5%CVE-2024-23189MEDIUMEmbedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploiEPSS 0.5%CVE-2024-23192MEDIUMRSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised EPSS 0.5%CVE-2023-41703MEDIUMUser ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when workEPSS 0.5%CVE-2023-41704HIGHProcessing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script cEPSS 0.5%CVE-2024-23188MEDIUMMaliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. CoEPSS 0.5%CVE-2024-23190MEDIUMUpsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit thisEPSS 0.5%CVE-2024-23191MEDIUMUpsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To expEPSS 0.5%CVE-2024-23187MEDIUMContent-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. AttEPSS 0.5%