OXAS-ADV-2025-0003
Vulnerability from csaf_ox - Published: 2025-09-24 00:00 - Updated: 2025-11-27 00:00Summary
OX App Suite Security Advisory OXAS-ADV-2025-0003
Severity
Medium
Notes
Terms of Use: This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.
Malicious content at office documents can be used to inject script code when editing a document.
5.4 (Medium)
Vendor Fix
Please deploy the provided updates and patch releases.
Malicious e-mail content can be used to execute script code.
6.1 (Medium)
Vendor Fix
Sanitization has been updated to avoid such bypasses.
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links.
5.4 (Medium)
Vendor Fix
Please deploy the provided updates and patch releases.
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links.
5.4 (Medium)
Vendor Fix
Please deploy the provided updates and patch releases.
{
"document": {
"aggregate_severity": {
"text": "MEDIUM"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Open-Xchange GmbH. All rights reserved.",
"tlp": {
"label": "GREEN",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"name": "Open-Xchange GmbH",
"namespace": "https://open-xchange.com/"
},
"references": [
{
"category": "self",
"summary": "Canonical CSAF document",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json"
},
{
"category": "self",
"summary": "Markdown representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2025/oxas-adv-2025-0003.md"
},
{
"category": "self",
"summary": "HTML representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0003.html"
},
{
"category": "self",
"summary": "Plain-text representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2025/oxas-adv-2025-0003.txt"
}
],
"title": "OX App Suite Security Advisory OXAS-ADV-2025-0003",
"tracking": {
"current_release_date": "2025-11-27T00:00:00+00:00",
"generator": {
"date": "2025-11-27T09:23:02+00:00",
"engine": {
"name": "OX CSAF",
"version": "1.0.0"
}
},
"id": "OXAS-ADV-2025-0003",
"initial_release_date": "2025-09-24T00:00:00+02:00",
"revision_history": [
{
"date": "2025-09-24T00:00:00+02:00",
"number": "1",
"summary": "Initial release"
},
{
"date": "2025-11-27T00:00:00+00:00",
"number": "2",
"summary": "Public release"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "8.35.1513817",
"product": {
"name": "OX App Suite office 8.35.1513817",
"product_id": "OXAS-OFFICE_8.35.1513817",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.35.1513817:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.1565928",
"product": {
"name": "OX App Suite office 8.39.1565928",
"product_id": "OXAS-OFFICE_8.39.1565928",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.39.1565928:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.1565934",
"product": {
"name": "OX App Suite office 8.40.1565934",
"product_id": "OXAS-OFFICE_8.40.1565934",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.40.1565934:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.1523927",
"product": {
"name": "OX App Suite office 8.41.1523927",
"product_id": "OXAS-OFFICE_8.41.1523927",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.41.1523927:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.1513818",
"product": {
"name": "OX App Suite office 8.35.1513818",
"product_id": "OXAS-OFFICE_8.35.1513818",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.35.1513818:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.1565929",
"product": {
"name": "OX App Suite office 8.39.1565929",
"product_id": "OXAS-OFFICE_8.39.1565929",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.39.1565929:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.1565935",
"product": {
"name": "OX App Suite office 8.40.1565935",
"product_id": "OXAS-OFFICE_8.40.1565935",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.40.1565935:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.1523928",
"product": {
"name": "OX App Suite office 8.41.1523928",
"product_id": "OXAS-OFFICE_8.41.1523928",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.41.1523928:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite office"
},
{
"branches": [
{
"category": "product_version",
"name": "8.35.110",
"product": {
"name": "OX App Suite backend 8.35.110",
"product_id": "OXAS-BACKEND_8.35.110",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.110:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.85",
"product": {
"name": "OX App Suite backend 8.39.85",
"product_id": "OXAS-BACKEND_8.39.85",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.85:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.73",
"product": {
"name": "OX App Suite backend 8.40.73",
"product_id": "OXAS-BACKEND_8.40.73",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.73:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.50",
"product": {
"name": "OX App Suite backend 8.41.50",
"product_id": "OXAS-BACKEND_8.41.50",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.50:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.111",
"product": {
"name": "OX App Suite backend 8.35.111",
"product_id": "OXAS-BACKEND_8.35.111",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.111:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.86",
"product": {
"name": "OX App Suite backend 8.39.86",
"product_id": "OXAS-BACKEND_8.39.86",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.86:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.74",
"product": {
"name": "OX App Suite backend 8.40.74",
"product_id": "OXAS-BACKEND_8.40.74",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.74:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.51",
"product": {
"name": "OX App Suite backend 8.41.51",
"product_id": "OXAS-BACKEND_8.41.51",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.51:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.67",
"product": {
"name": "OX App Suite backend 8.41.67",
"product_id": "OXAS-BACKEND_8.41.67",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.67:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.68",
"product": {
"name": "OX App Suite backend 8.41.68",
"product_id": "OXAS-BACKEND_8.41.68",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.68:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.107",
"product": {
"name": "OX App Suite backend 8.35.107",
"product_id": "OXAS-BACKEND_8.35.107",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.107:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.38.89",
"product": {
"name": "OX App Suite backend 8.38.89",
"product_id": "OXAS-BACKEND_8.38.89",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.38.89:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.83",
"product": {
"name": "OX App Suite backend 8.39.83",
"product_id": "OXAS-BACKEND_8.39.83",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.83:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.68",
"product": {
"name": "OX App Suite backend 8.40.68",
"product_id": "OXAS-BACKEND_8.40.68",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.68:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.60",
"product": {
"name": "OX App Suite backend 8.41.60",
"product_id": "OXAS-BACKEND_8.41.60",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.60:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.108",
"product": {
"name": "OX App Suite backend 8.35.108",
"product_id": "OXAS-BACKEND_8.35.108",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.108:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.38.90",
"product": {
"name": "OX App Suite backend 8.38.90",
"product_id": "OXAS-BACKEND_8.38.90",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.38.90:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.84",
"product": {
"name": "OX App Suite backend 8.39.84",
"product_id": "OXAS-BACKEND_8.39.84",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.84:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.69",
"product": {
"name": "OX App Suite backend 8.40.69",
"product_id": "OXAS-BACKEND_8.40.69",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.69:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.61",
"product": {
"name": "OX App Suite backend 8.41.61",
"product_id": "OXAS-BACKEND_8.41.61",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.61:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite backend"
}
],
"category": "vendor",
"name": "Open-Xchange GmbH"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-30190",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-07-14T08:46:23.697000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "documents/office-web#97"
}
],
"notes": [
{
"category": "description",
"text": "Malicious content at office documents can be used to inject script code when editing a document."
}
],
"product_status": {
"first_fixed": [
"OXAS-OFFICE_8.35.1513818",
"OXAS-OFFICE_8.39.1565929",
"OXAS-OFFICE_8.40.1565935",
"OXAS-OFFICE_8.41.1523928"
],
"last_affected": [
"OXAS-OFFICE_8.35.1513817",
"OXAS-OFFICE_8.39.1565928",
"OXAS-OFFICE_8.40.1565934",
"OXAS-OFFICE_8.41.1523927"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-05T09:52:32.144000+02:00",
"details": "Please deploy the provided updates and patch releases.",
"product_ids": [
"OXAS-OFFICE_8.35.1513817",
"OXAS-OFFICE_8.39.1565928",
"OXAS-OFFICE_8.40.1565934",
"OXAS-OFFICE_8.41.1523927"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-OFFICE_8.35.1513817",
"OXAS-OFFICE_8.39.1565928",
"OXAS-OFFICE_8.40.1565934",
"OXAS-OFFICE_8.41.1523927"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS using unescaped user-ids in OX Documents"
},
{
"cve": "CVE-2025-59025",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-08-05T14:53:35.348000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "appsuite/platform/core#357"
}
],
"notes": [
{
"category": "description",
"text": "Malicious e-mail content can be used to execute script code."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_8.35.111",
"OXAS-BACKEND_8.39.86",
"OXAS-BACKEND_8.40.74",
"OXAS-BACKEND_8.41.51"
],
"last_affected": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.50"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-05T15:53:17.437000+02:00",
"details": "Sanitization has been updated to avoid such bypasses.",
"product_ids": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.50"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.50"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS through sanitizer bypass for CSS elements"
},
{
"cve": "CVE-2025-59026",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-07-03T10:42:45.419000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "appsuite/platform/core#361"
}
],
"notes": [
{
"category": "description",
"text": "Malicious content uploaded as file can be used to execute script code when following attacker-controlled links."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_8.35.111",
"OXAS-BACKEND_8.39.86",
"OXAS-BACKEND_8.40.74",
"OXAS-BACKEND_8.41.68"
],
"last_affected": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.67"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-12T15:35:34.721000+02:00",
"details": "Please deploy the provided updates and patch releases.",
"product_ids": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.67"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.67"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS based on file type confusion in download sanitization"
},
{
"cve": "CVE-2025-30186",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-08-26T10:02:11.663000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "appsuite/platform/core#379"
}
],
"notes": [
{
"category": "description",
"text": "Malicious content uploaded as file can be used to execute script code when following attacker-controlled links."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_8.35.108",
"OXAS-BACKEND_8.38.90",
"OXAS-BACKEND_8.39.84",
"OXAS-BACKEND_8.40.69",
"OXAS-BACKEND_8.41.61"
],
"last_affected": [
"OXAS-BACKEND_8.35.107",
"OXAS-BACKEND_8.38.89",
"OXAS-BACKEND_8.39.83",
"OXAS-BACKEND_8.40.68",
"OXAS-BACKEND_8.41.60"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-16T11:47:41.031000+02:00",
"details": "Please deploy the provided updates and patch releases.",
"product_ids": [
"OXAS-BACKEND_8.35.107",
"OXAS-BACKEND_8.38.89",
"OXAS-BACKEND_8.39.83",
"OXAS-BACKEND_8.40.68",
"OXAS-BACKEND_8.41.60"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_8.35.107",
"OXAS-BACKEND_8.38.89",
"OXAS-BACKEND_8.39.83",
"OXAS-BACKEND_8.40.68",
"OXAS-BACKEND_8.41.60"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS based on HTML extensions in download sanitization"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…