Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ox_guard
(Open\-Xchange)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 11 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-11-02 | CVE-2023-26456 | Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known. | Ox_guard | 5.4 | ||
| 2021-04-30 | CVE-2020-28944 | OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data. | Ox_guard | 7.5 | ||
| 2020-06-15 | CVE-2020-9427 | OX Guard 2.10.3 and earlier allows SSRF. | Ox_guard | N/A | ||
| 2020-06-15 | CVE-2020-9426 | OX Guard 2.10.3 and earlier allows XSS. | Ox_guard | N/A | ||
| 2019-07-03 | CVE-2018-10986 | OX Guard 2.8.0 has CSRF. | Ox_guard | 8.8 | ||
| 2016-12-15 | CVE-2016-6854 | An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | Ox_guard | 6.1 | ||
| 2016-12-15 | CVE-2016-6853 | An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface... | Ox_guard | 6.1 | ||
| 2016-12-15 | CVE-2016-6851 | An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has an active session on the... | Ox_guard | 6.1 | ||
| 2016-12-15 | CVE-2016-4028 | An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and... | Ox_guard | 7.5 | ||
| 2016-12-15 | CVE-2015-8542 | An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of... | Ox_guard | 8.8 |