OXAS-ADV-2025-0003
Vulnerability from csaf_ox - Published: 2025-09-24 00:00 - Updated: 2025-11-27 00:00Summary
OX App Suite Security Advisory OXAS-ADV-2025-0003
Severity
Medium
Notes
Terms of Use: This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.
Malicious content at office documents can be used to inject script code when editing a document.
5.4 (Medium)
Affected products
Last affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite office 8.35.1513817
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.35.1513817:*:*:*:*:*:*:*
|
8.35.1513817 |
Vendor Fix
|
|
OX App Suite office 8.39.1565928
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.39.1565928:*:*:*:*:*:*:*
|
8.39.1565928 |
Vendor Fix
|
|
OX App Suite office 8.40.1565934
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.40.1565934:*:*:*:*:*:*:*
|
8.40.1565934 |
Vendor Fix
|
|
OX App Suite office 8.41.1523927
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.41.1523927:*:*:*:*:*:*:*
|
8.41.1523927 |
Vendor Fix
|
First fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite office 8.35.1513818
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.35.1513818:*:*:*:*:*:*:*
|
8.35.1513818 | |
|
OX App Suite office 8.39.1565929
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.39.1565929:*:*:*:*:*:*:*
|
8.39.1565929 | |
|
OX App Suite office 8.40.1565935
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.40.1565935:*:*:*:*:*:*:*
|
8.40.1565935 | |
|
OX App Suite office 8.41.1523928
Open-Xchange GmbH / OX App Suite office
|
cpe:2.3:a:open-xchange:office:8.41.1523928:*:*:*:*:*:*:*
|
8.41.1523928 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit Status
No publicly available exploits are known
Malicious e-mail content can be used to execute script code.
6.1 (Medium)
Affected products
Last affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite backend 8.35.110
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.35.110:*:*:*:*:*:*:*
|
8.35.110 |
Vendor Fix
|
|
OX App Suite backend 8.39.85
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.39.85:*:*:*:*:*:*:*
|
8.39.85 |
Vendor Fix
|
|
OX App Suite backend 8.40.73
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.40.73:*:*:*:*:*:*:*
|
8.40.73 |
Vendor Fix
|
|
OX App Suite backend 8.41.50
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.41.50:*:*:*:*:*:*:*
|
8.41.50 |
Vendor Fix
|
First fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite backend 8.35.111
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.35.111:*:*:*:*:*:*:*
|
8.35.111 | |
|
OX App Suite backend 8.39.86
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.39.86:*:*:*:*:*:*:*
|
8.39.86 | |
|
OX App Suite backend 8.40.74
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.40.74:*:*:*:*:*:*:*
|
8.40.74 | |
|
OX App Suite backend 8.41.51
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.41.51:*:*:*:*:*:*:*
|
8.41.51 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit Status
No publicly available exploits are known
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links.
5.4 (Medium)
Affected products
Last affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite backend 8.35.110
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.35.110:*:*:*:*:*:*:*
|
8.35.110 |
Vendor Fix
|
|
OX App Suite backend 8.39.85
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.39.85:*:*:*:*:*:*:*
|
8.39.85 |
Vendor Fix
|
|
OX App Suite backend 8.40.73
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.40.73:*:*:*:*:*:*:*
|
8.40.73 |
Vendor Fix
|
|
OX App Suite backend 8.41.67
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.41.67:*:*:*:*:*:*:*
|
8.41.67 |
Vendor Fix
|
First fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite backend 8.35.111
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.35.111:*:*:*:*:*:*:*
|
8.35.111 | |
|
OX App Suite backend 8.39.86
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.39.86:*:*:*:*:*:*:*
|
8.39.86 | |
|
OX App Suite backend 8.40.74
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.40.74:*:*:*:*:*:*:*
|
8.40.74 | |
|
OX App Suite backend 8.41.68
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.41.68:*:*:*:*:*:*:*
|
8.41.68 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit Status
No publicly available exploits are known
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links.
5.4 (Medium)
Affected products
Last affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite backend 8.35.107
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.35.107:*:*:*:*:*:*:*
|
8.35.107 |
Vendor Fix
|
|
OX App Suite backend 8.38.89
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.38.89:*:*:*:*:*:*:*
|
8.38.89 |
Vendor Fix
|
|
OX App Suite backend 8.39.83
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.39.83:*:*:*:*:*:*:*
|
8.39.83 |
Vendor Fix
|
|
OX App Suite backend 8.40.68
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.40.68:*:*:*:*:*:*:*
|
8.40.68 |
Vendor Fix
|
|
OX App Suite backend 8.41.60
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.41.60:*:*:*:*:*:*:*
|
8.41.60 |
Vendor Fix
|
First fixed
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
OX App Suite backend 8.35.108
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.35.108:*:*:*:*:*:*:*
|
8.35.108 | |
|
OX App Suite backend 8.38.90
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.38.90:*:*:*:*:*:*:*
|
8.38.90 | |
|
OX App Suite backend 8.39.84
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.39.84:*:*:*:*:*:*:*
|
8.39.84 | |
|
OX App Suite backend 8.40.69
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.40.69:*:*:*:*:*:*:*
|
8.40.69 | |
|
OX App Suite backend 8.41.61
Open-Xchange GmbH / OX App Suite backend
|
cpe:2.3:a:open-xchange:app_suite:8.41.61:*:*:*:*:*:*:*
|
8.41.61 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit Status
No publicly available exploits are known
References
{
"document": {
"aggregate_severity": {
"text": "MEDIUM"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Open-Xchange GmbH. All rights reserved.",
"tlp": {
"label": "GREEN",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"name": "Open-Xchange GmbH",
"namespace": "https://open-xchange.com/"
},
"references": [
{
"category": "self",
"summary": "Canonical CSAF document",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json"
},
{
"category": "self",
"summary": "Markdown representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2025/oxas-adv-2025-0003.md"
},
{
"category": "self",
"summary": "HTML representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0003.html"
},
{
"category": "self",
"summary": "Plain-text representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2025/oxas-adv-2025-0003.txt"
}
],
"title": "OX App Suite Security Advisory OXAS-ADV-2025-0003",
"tracking": {
"current_release_date": "2025-11-27T00:00:00+00:00",
"generator": {
"date": "2025-11-27T09:23:02+00:00",
"engine": {
"name": "OX CSAF",
"version": "1.0.0"
}
},
"id": "OXAS-ADV-2025-0003",
"initial_release_date": "2025-09-24T00:00:00+02:00",
"revision_history": [
{
"date": "2025-09-24T00:00:00+02:00",
"number": "1",
"summary": "Initial release"
},
{
"date": "2025-11-27T00:00:00+00:00",
"number": "2",
"summary": "Public release"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "8.35.1513817",
"product": {
"name": "OX App Suite office 8.35.1513817",
"product_id": "OXAS-OFFICE_8.35.1513817",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.35.1513817:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.1565928",
"product": {
"name": "OX App Suite office 8.39.1565928",
"product_id": "OXAS-OFFICE_8.39.1565928",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.39.1565928:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.1565934",
"product": {
"name": "OX App Suite office 8.40.1565934",
"product_id": "OXAS-OFFICE_8.40.1565934",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.40.1565934:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.1523927",
"product": {
"name": "OX App Suite office 8.41.1523927",
"product_id": "OXAS-OFFICE_8.41.1523927",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.41.1523927:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.1513818",
"product": {
"name": "OX App Suite office 8.35.1513818",
"product_id": "OXAS-OFFICE_8.35.1513818",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.35.1513818:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.1565929",
"product": {
"name": "OX App Suite office 8.39.1565929",
"product_id": "OXAS-OFFICE_8.39.1565929",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.39.1565929:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.1565935",
"product": {
"name": "OX App Suite office 8.40.1565935",
"product_id": "OXAS-OFFICE_8.40.1565935",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.40.1565935:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.1523928",
"product": {
"name": "OX App Suite office 8.41.1523928",
"product_id": "OXAS-OFFICE_8.41.1523928",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:8.41.1523928:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite office"
},
{
"branches": [
{
"category": "product_version",
"name": "8.35.110",
"product": {
"name": "OX App Suite backend 8.35.110",
"product_id": "OXAS-BACKEND_8.35.110",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.110:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.85",
"product": {
"name": "OX App Suite backend 8.39.85",
"product_id": "OXAS-BACKEND_8.39.85",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.85:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.73",
"product": {
"name": "OX App Suite backend 8.40.73",
"product_id": "OXAS-BACKEND_8.40.73",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.73:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.50",
"product": {
"name": "OX App Suite backend 8.41.50",
"product_id": "OXAS-BACKEND_8.41.50",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.50:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.111",
"product": {
"name": "OX App Suite backend 8.35.111",
"product_id": "OXAS-BACKEND_8.35.111",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.111:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.86",
"product": {
"name": "OX App Suite backend 8.39.86",
"product_id": "OXAS-BACKEND_8.39.86",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.86:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.74",
"product": {
"name": "OX App Suite backend 8.40.74",
"product_id": "OXAS-BACKEND_8.40.74",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.74:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.51",
"product": {
"name": "OX App Suite backend 8.41.51",
"product_id": "OXAS-BACKEND_8.41.51",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.51:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.67",
"product": {
"name": "OX App Suite backend 8.41.67",
"product_id": "OXAS-BACKEND_8.41.67",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.67:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.68",
"product": {
"name": "OX App Suite backend 8.41.68",
"product_id": "OXAS-BACKEND_8.41.68",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.68:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.107",
"product": {
"name": "OX App Suite backend 8.35.107",
"product_id": "OXAS-BACKEND_8.35.107",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.107:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.38.89",
"product": {
"name": "OX App Suite backend 8.38.89",
"product_id": "OXAS-BACKEND_8.38.89",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.38.89:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.83",
"product": {
"name": "OX App Suite backend 8.39.83",
"product_id": "OXAS-BACKEND_8.39.83",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.83:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.68",
"product": {
"name": "OX App Suite backend 8.40.68",
"product_id": "OXAS-BACKEND_8.40.68",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.68:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.60",
"product": {
"name": "OX App Suite backend 8.41.60",
"product_id": "OXAS-BACKEND_8.41.60",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.60:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.35.108",
"product": {
"name": "OX App Suite backend 8.35.108",
"product_id": "OXAS-BACKEND_8.35.108",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.35.108:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.38.90",
"product": {
"name": "OX App Suite backend 8.38.90",
"product_id": "OXAS-BACKEND_8.38.90",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.38.90:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.39.84",
"product": {
"name": "OX App Suite backend 8.39.84",
"product_id": "OXAS-BACKEND_8.39.84",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.39.84:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.40.69",
"product": {
"name": "OX App Suite backend 8.40.69",
"product_id": "OXAS-BACKEND_8.40.69",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.40.69:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.41.61",
"product": {
"name": "OX App Suite backend 8.41.61",
"product_id": "OXAS-BACKEND_8.41.61",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.41.61:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite backend"
}
],
"category": "vendor",
"name": "Open-Xchange GmbH"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-30190",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-07-14T08:46:23.697000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "documents/office-web#97"
}
],
"notes": [
{
"category": "description",
"text": "Malicious content at office documents can be used to inject script code when editing a document."
}
],
"product_status": {
"first_fixed": [
"OXAS-OFFICE_8.35.1513818",
"OXAS-OFFICE_8.39.1565929",
"OXAS-OFFICE_8.40.1565935",
"OXAS-OFFICE_8.41.1523928"
],
"last_affected": [
"OXAS-OFFICE_8.35.1513817",
"OXAS-OFFICE_8.39.1565928",
"OXAS-OFFICE_8.40.1565934",
"OXAS-OFFICE_8.41.1523927"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-05T09:52:32.144000+02:00",
"details": "Please deploy the provided updates and patch releases.",
"product_ids": [
"OXAS-OFFICE_8.35.1513817",
"OXAS-OFFICE_8.39.1565928",
"OXAS-OFFICE_8.40.1565934",
"OXAS-OFFICE_8.41.1523927"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-OFFICE_8.35.1513817",
"OXAS-OFFICE_8.39.1565928",
"OXAS-OFFICE_8.40.1565934",
"OXAS-OFFICE_8.41.1523927"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS using unescaped user-ids in OX Documents"
},
{
"cve": "CVE-2025-59025",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-08-05T14:53:35.348000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "appsuite/platform/core#357"
}
],
"notes": [
{
"category": "description",
"text": "Malicious e-mail content can be used to execute script code."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_8.35.111",
"OXAS-BACKEND_8.39.86",
"OXAS-BACKEND_8.40.74",
"OXAS-BACKEND_8.41.51"
],
"last_affected": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.50"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-05T15:53:17.437000+02:00",
"details": "Sanitization has been updated to avoid such bypasses.",
"product_ids": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.50"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.50"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS through sanitizer bypass for CSS elements"
},
{
"cve": "CVE-2025-59026",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-07-03T10:42:45.419000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "appsuite/platform/core#361"
}
],
"notes": [
{
"category": "description",
"text": "Malicious content uploaded as file can be used to execute script code when following attacker-controlled links."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_8.35.111",
"OXAS-BACKEND_8.39.86",
"OXAS-BACKEND_8.40.74",
"OXAS-BACKEND_8.41.68"
],
"last_affected": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.67"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-12T15:35:34.721000+02:00",
"details": "Please deploy the provided updates and patch releases.",
"product_ids": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.67"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_8.35.110",
"OXAS-BACKEND_8.39.85",
"OXAS-BACKEND_8.40.73",
"OXAS-BACKEND_8.41.67"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS based on file type confusion in download sanitization"
},
{
"cve": "CVE-2025-30186",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-08-26T10:02:11.663000+02:00",
"ids": [
{
"system_name": "GitLab Issue",
"text": "appsuite/platform/core#379"
}
],
"notes": [
{
"category": "description",
"text": "Malicious content uploaded as file can be used to execute script code when following attacker-controlled links."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_8.35.108",
"OXAS-BACKEND_8.38.90",
"OXAS-BACKEND_8.39.84",
"OXAS-BACKEND_8.40.69",
"OXAS-BACKEND_8.41.61"
],
"last_affected": [
"OXAS-BACKEND_8.35.107",
"OXAS-BACKEND_8.38.89",
"OXAS-BACKEND_8.39.83",
"OXAS-BACKEND_8.40.68",
"OXAS-BACKEND_8.41.60"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-16T11:47:41.031000+02:00",
"details": "Please deploy the provided updates and patch releases.",
"product_ids": [
"OXAS-BACKEND_8.35.107",
"OXAS-BACKEND_8.38.89",
"OXAS-BACKEND_8.39.83",
"OXAS-BACKEND_8.40.68",
"OXAS-BACKEND_8.41.60"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_8.35.107",
"OXAS-BACKEND_8.38.89",
"OXAS-BACKEND_8.39.83",
"OXAS-BACKEND_8.40.68",
"OXAS-BACKEND_8.41.60"
]
}
],
"threats": [
{
"category": "impact",
"details": "Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known"
}
],
"title": "XSS based on HTML extensions in download sanitization"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…