Open-Xchange: Security Vulnerabilities
documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as a PDF document.
CVSS Score
9.8
EPSS Score
0.036
Published
2022-10-25
OX App Suite through 7.10.6 allows XSS by forcing block-wise read.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-07-27
OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment).
CVSS Score
9.8
EPSS Score
0.03
Published
2022-07-27
OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message.
CVSS Score
6.1
EPSS Score
0.006
Published
2022-07-27
OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API.
CVSS Score
9.8
EPSS Score
0.031
Published
2022-07-27
OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.
CVSS Score
6.5
EPSS Score
0.008
Published
2022-07-27
OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-03-28
OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-03-28
OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-03-28
OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO.
CVSS Score
6.1
EPSS Score
0.009
Published
2022-03-28