Open Xchange Appsuite Office Open Xchange Appsuite Office

Do you want an email whenever new security vulnerabilities are reported in Open Xchange Appsuite Office?

By the Year

In 2023 there have been 4 vulnerabilities in Open Xchange Appsuite Office with an average score of 6.1 out of ten. Open Xchange Appsuite Office did not have any published security vulnerabilities last year. That is, 4 more vulnerabilities have already been reported in 2023 as compared to last year.

Year Vulnerabilities Average Score
2023 4 6.08
2022 0 0.00
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Open Xchange Appsuite Office vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Open Xchange Appsuite Office Security Vulnerabilities

In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend

CVE-2023-26442 3.2 - Low - August 02, 2023

In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a server-side request-forgery attack and make Cacheservice connect to unexpected resources. We have disabled the ability to follow HTTP redirects when connecting to sproxyd resources. No publicly available exploits are known.

XSPA

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources

CVE-2023-26441 5.5 - Medium - August 02, 2023

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.

Directory traversal

The cacheservice API could be abused to indirectly inject parameters with SQL syntax

CVE-2023-26440 7.8 - High - August 02, 2023

The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.

SQL Injection

The cacheservice API could be abused to inject parameters with SQL syntax

CVE-2023-26439 7.8 - High - August 02, 2023

The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.

SQL Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Open Xchange Appsuite Office or by Open Xchange? Click the Watch button to subscribe.

subscribe