OXAS-ADV-2025-0003
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Classification: TLP:GREEN
- Publication Date: 2025-09-24
- Current version: 2
- Version status: Final
- Aggregate severity: Medium
References
Vulnerabilities
CVE-2025-30190: XSS using unescaped user-ids in OX Documents
- CVE reference: CVE-2025-30190
- Internal reference: documents/office-web#97
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2025-07-14
Description
Malicious content at office documents can be used to inject script code when editing a document.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 8.35.1513817 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite office 8.39.1565928 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite office 8.40.1565934 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite office 8.41.1523927 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit status
No publicly available exploits are known
Remediation
Vendor fix (2025-08-05)
For products
- OX App Suite office 8.35.1513818
- OX App Suite office 8.39.1565929
- OX App Suite office 8.40.1565935
- OX App Suite office 8.41.1523928
Please deploy the provided updates and patch releases.
CVE-2025-59025: XSS through sanitizer bypass for CSS elements
- CVE reference: CVE-2025-59025
- Internal reference: appsuite/platform/core#357
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2025-08-05
Description
Malicious e-mail content can be used to execute script code.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 8.35.110 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
| OX App Suite backend 8.39.85 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
| OX App Suite backend 8.40.73 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
| OX App Suite backend 8.41.50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit status
No publicly available exploits are known
Remediation
Vendor fix (2025-08-05)
For products
- OX App Suite backend 8.35.111
- OX App Suite backend 8.39.86
- OX App Suite backend 8.40.74
- OX App Suite backend 8.41.51
Sanitization has been updated to avoid such bypasses.
CVE-2025-59026: XSS based on file type confusion in download sanitization
- CVE reference: CVE-2025-59026
- Internal reference: appsuite/platform/core#361
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2025-07-03
Description
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 8.35.110 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.39.85 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.40.73 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.41.67 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit status
No publicly available exploits are known
Remediation
Vendor fix (2025-08-12)
For products
- OX App Suite backend 8.35.111
- OX App Suite backend 8.39.86
- OX App Suite backend 8.40.74
- OX App Suite backend 8.41.68
Please deploy the provided updates and patch releases.
CVE-2025-30186: XSS based on HTML extensions in download sanitization
- CVE reference: CVE-2025-30186
- Internal reference: appsuite/platform/core#379
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2025-08-26
Description
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 8.35.107 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.38.89 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.39.83 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.40.68 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite backend 8.41.60 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
Threats
Impact
Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information.
Exploit status
No publicly available exploits are known
Remediation
Vendor fix (2025-09-16)
For products
- OX App Suite backend 8.35.108
- OX App Suite backend 8.38.90
- OX App Suite backend 8.39.84
- OX App Suite backend 8.40.69
- OX App Suite backend 8.41.61
Please deploy the provided updates and patch releases.