Vulnerabilities in OX Software GmbH
33 resultsCVE-2023-26440HIGHThe cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be eEPSS 0.4%CVE-2023-26441MEDIUMCacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An atEPSS 0.4%CVE-2023-26456MEDIUMUsers were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at theEPSS 0.4%CVE-2023-29044MEDIUMDocuments operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operationEPSS 0.4%CVE-2023-29045MEDIUMDocuments operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could beEPSS 0.4%CVE-2023-26454HIGHRequests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requEPSS 0.4%CVE-2023-26452HIGHRequests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this EPSS 0.4%CVE-2023-26453HIGHRequests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires aEPSS 0.4%CVE-2023-26442LOWIn case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacEPSS 0.3%CVE-2023-29043MEDIUMPresentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed wEPSS 0.3%CVE-2023-26427LOWDefault permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated tEPSS 0.3%CVE-2023-29047MEDIUMImageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrarEPSS 0.3%CVE-2023-26455MEDIUMRMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access couldEPSS 0.2%