This article is a part of our Vulnerability Database (back to index)

Cross-site Scripting occurrences in Open-xchange Appsuite

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used. (2021-07-22, CVE-2021-37403)

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used. (2021-07-22, CVE-2021-26698)

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled. (2021-07-22, CVE-2021-37402)

OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item. (2021-05-03, CVE-2020-28945)

OX App Suite 7.10.4 and earlier allows XSS via a crafted contact object (payload in the position or company field) that is mishandled in the App Suite UI on a smartphone. (2021-04-30, CVE-2021-31934)

OX App Suite 7.10.4 and earlier allows XSS via a crafted distribution list (payload in the common name) that is mishandled in the scheduling view. (2021-04-30, CVE-2021-31935)

OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. (2021-01-12, CVE-2021-23928)

OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. (2021-01-12, CVE-2021-23934)

OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/?delivery=view URI. (2021-01-12, CVE-2021-23929)

OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. (2021-01-12, CVE-2021-23935)

OX App Suite through 7.10.4 allows XSS via an inline binary file. (2021-01-12, CVE-2021-23931)

OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. (2021-01-12, CVE-2021-23932)

OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. (2021-01-12, CVE-2021-23933)

OX App Suite through 7.10.4 allows XSS via the subject of a task. (2021-01-12, CVE-2021-23936)

OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. (2021-01-12, CVE-2021-23930)

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI). (2021-01-12, CVE-2020-24701)

OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. (2020-10-23, CVE-2020-15004)

OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document. (2020-08-31, CVE-2020-12646)

OX App Suite through 7.10.3 allows XSS. (2020-06-16, CVE-2020-8542)

OX App Suite through 7.10.2 has XSS. (2020-01-06, CVE-2019-16717)

OX App Suite 7.10.1 and 7.10.2 allows XSS. (2019-10-14, CVE-2019-14227)

OX App Suite 7.10.0 to 7.10.2 allows XSS. (2019-08-20, CVE-2019-11522)

OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 (Bug ID) (2019-03-21, CVE-2018-13104)

OX App Suite 7.8.4 and earlier allows Directory Traversal. (2019-01-30, CVE-2018-12611)

Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev28 allows remote attackers to inject arbitrary web script or HTML via the data-target attribute in an HTML page with data-toggle gadgets. (2018-07-05, CVE-2018-9997)

Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related to copying content to the clipboard. (2018-06-16, CVE-2018-5754)

Why Cross-site Scripting can be dangerous

Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.

The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:

https://server.com/confirmation?message=Transaction+Complete

what results in:

<span>Confirmation: Transaction Complete</span>

In that case the message can be modified to become a valid Javascript code, e.g.:

https://server.com/confirmation?message=<script>dangerous javascript code here</script>

and it will be executed locally by the user's browser with full access to the user's personal application/browser data:

<span>Confirmation: <script>dangerous javascript code here</script></span>

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free