Secator

**Name of the Vulnerable Software and Affected Versions** OX App Suite versions 7.8.4 and earlier **Description** The issue allows for XSS, which can be exploited. **Recommendations** For OX App Suite versions 7.8.4 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OX App Suite versions prior to 7.8.4 **Description** The issue allows for Server-Side Request Forgery. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** For versions prior to 7.8.4, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OX App Suite versions 7.8.4 and earlier **Description** The issue allows Directory Traversal. **Recommendations** For OX App Suite versions 7.8.4 and earlier, update to a version later than 7.8.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Open-Xchange OX App Suite versions prior to 7.6.3-rev31 Open-Xchange OX App Suite versions 7.8.x prior to 7.8.2-rev31 Open-Xchange OX App Suite version 7.8.3 prior to 7.8.3-rev41 Open-Xchange OX App Suite version 7.8.4 prior to 7.8.4-rev28 **Description** A cross-site scripting (XSS) issue exists in the mail compose feature of Open-Xchange OX App Suite. This allows remote attackers to inject arbitrary web script or HTML via the `data-target` attribute in an HTML page with `data-toggle` gadgets. **Recommendations** For versions prior to 7.6.3-rev31, update to version 7.6.3-rev31 or later. For versions 7.8.x prior to 7.8.2-rev31, update to version 7.8.2-rev31 or later. For version 7.8.3 prior to 7.8.3-rev41, update to version 7.8.3-rev41 or later. For version 7.8.4 prior to 7.8.4-rev28, update to version 7.8.4-rev28 or later.

**Name of the Vulnerable Software and Affected Versions** Open-Xchange OX Guard versions prior to 2.4.2-rev5 **Description** An issue allows script code and references to external websites to be injected into the names of PGP public keys. When a user requests the key later using a specific URL, the injected script code might be executed, potentially leading to session hijacking or triggering unwanted actions via the web interface, such as sending mail or deleting data. This could also lure users into a phishing scheme, allowing malicious script code to be executed within a user's context. **Recommendations** For Open-Xchange OX Guard versions prior to 2.4.2-rev5, update to version 2.4.2-rev5 or later to resolve the issue. As a temporary workaround, consider restricting access to the PGP public key management interface to minimize the risk of exploitation. Avoid using the vulnerable key management functionality until the issue is resolved.