Product: OX App Suite Vendor: OX Software GmbH Vulnerabilities: - Server-Side Request Forgery (CWE-918): - Details: Vulnerability in the iCal event subscription mechanism. - Impact: External iCal event sources can redirect to internal network targets. - CVE: CVE-2019-14225 - CVSS: 6.4 - Solution: Disabling HTTP redirection at the responsible HTTP client component. - Cross-Site Scripting (CWE-80): - Details: Vulnerability in calendar print view and appointment dialogs. - Impact: Malicious script execution in user context. - CVE: CVE-2019-14226, CVE-2019-14227 - CVSS: 5.4, 5.4 - Solution: Fixed template engine escaping routines, escaping folder names. - Information Exposure (CWE-200): - Details: Sharing URLs for external folders accessible to non-admin users. - Impact: Risk of unauthorized folder access. - CVE: CVE-2019-14226 - CVSS: 3.1 - Solution: Removed the "share_url" parameter from API responses for non-admin users. - Improper Access Control (CWE-284): - Details: Flaws in attachment API and appointment visibility handling. - Impact: Risk of unexpected content addition and visibility changes. - CVE: CVE-2019-14226 - CVSS: 3.1, 2.2 - Solution: Improved permission handling for attachments and API calls for appointment visibility.