Open Xchange Appsuite Frontend
By the Year
In 2024 there have been 0 vulnerabilities in Open Xchange Appsuite Frontend . Last year Open Xchange Appsuite Frontend had 6 security vulnerabilities published. Right now, Open Xchange Appsuite Frontend is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 6 | 5.40 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Open Xchange Appsuite Frontend vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Open Xchange Appsuite Frontend Security Vulnerabilities
The "OX Chat" web service did not specify a media-type when processing responses by external resources
CVE-2023-26449
5.4 - Medium
- August 02, 2023
The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.
XSS
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers
CVE-2023-26448
5.4 - Medium
- August 02, 2023
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content for those locations to avoid redirects to malicious content. No publicly available exploits are known.
XSS
The "OX Count" web service did not specify a media-type when processing responses by external resources
CVE-2023-26450
5.4 - Medium
- August 02, 2023
The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.
XSS
The "upsell" widget for the portal allows to specify a product description
CVE-2023-26447
5.4 - Medium
- August 02, 2023
The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known.
XSS
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM
CVE-2023-26446
5.4 - Medium
- August 02, 2023
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known.
XSS
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login
CVE-2023-26445
5.4 - Medium
- August 02, 2023
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Open Xchange Appsuite Frontend or by Open Xchange? Click the Watch button to subscribe.
