Top reports from Open-Xchange program at HackerOne:
- Arbitrary local system file read on open-xchange server to Open-Xchange - 124 upvotes, $2000
- Null pointer dereference in SMTP server function smtp_string_parse to Open-Xchange - 105 upvotes, $1500
- Blind XXE via Powerpoint files to Open-Xchange - 83 upvotes, $2000
- CSRF combined with IDOR within Document Converter exposes files to Open-Xchange - 51 upvotes, $500
- SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850
- OX (Guard): Stored Cross-Site Scripting via Incoming Email to Open-Xchange - 48 upvotes, $1000
- Memory corruption in imap-parser.c to Open-Xchange - 46 upvotes, $5000
- SSRF - Blacklist bypass for mail account addition to Open-Xchange - 43 upvotes, $500
- SSRF - Image Sources in HTML Snippets - 727234 bypass to Open-Xchange - 41 upvotes, $400
- [XSS] Style/Event Filter Bypass v3.0 to Open-Xchange - 39 upvotes, $500
- SSRF - Office Documents - Image URL to Open-Xchange - 37 upvotes, $450
- SSRF - URL Attachments - 725307 bypass to Open-Xchange - 36 upvotes, $400
- SSRF - RSS feed, blacklist bypass (301 re-direct) to Open-Xchange - 33 upvotes, $850
- Stored XSS to Open-Xchange - 33 upvotes, $500
- Another window.opener issue to Open-Xchange - 32 upvotes, $900
- SSRF - RSS feed, blacklist bypass (IP Formatting) to Open-Xchange - 32 upvotes, $850
- Use after free in smtp_server_connection_handle_command to Open-Xchange - 30 upvotes, $500
- Tab nabbing via window.opener to Open-Xchange - 28 upvotes, $666
- Set Cookie Via SVG to Open-Xchange - 28 upvotes, $250
- Two heap use-after-free errors in IMAP operations to Open-Xchange - 26 upvotes, $1200
- IDOR - Downloading all attachements if having access to a shared link to Open-Xchange - 26 upvotes, $888
- Username restriction bypass with SSL client authentication to Open-Xchange - 25 upvotes, $1000
- Panic: Input stream data unexpectedly has references to Open-Xchange - 21 upvotes, $50
- IDOR - Accessing other user's attachements via PUT /appsuite/api/files?action=saveAs to Open-Xchange - 20 upvotes, $888
- SSRF in /appsuite/api/autoconfig to Open-Xchange - 20 upvotes, $850
- IDOR - Deleting other user's signature via /appsuite/api/snippet?action=update (although an error is thrown) to Open-Xchange - 19 upvotes, $300
- XSS on opening a malicious OpenOffice text document to Open-Xchange - 18 upvotes, $400
- OX (Guard): Stored Cross-Site Scripting via Email Attachment to Open-Xchange - 17 upvotes, $300
- Dovecot authentication is vulnerable to timing attacks. to Open-Xchange - 16 upvotes, $600
- Unchecked URL in attachment datasource to Open-Xchange - 15 upvotes, $850
- Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf) to Open-Xchange - 14 upvotes, $500
- Another Stored XSS in mail app using Drive app to Open-Xchange - 14 upvotes, $500
- IDOR - Leaking other user's folder names from /appsuite/api/import?action=ICA to Open-Xchange - 14 upvotes, $300
- [IDOR] Deleting other people's tasks to Open-Xchange - 14 upvotes, $300
- IDOR allow to extract all registered email to Open-Xchange - 14 upvotes, $300
- IDOR - Folder names disclosure inside a domain, regardless of user to Open-Xchange - 14 upvotes, $250
- reading the stack data of the imap process to Open-Xchange - 14 upvotes, $50
- IDOR - setAttribute action of user object in API to Open-Xchange - 13 upvotes, $400
- IDOR - Deleting other user's reminders just by id to Open-Xchange - 13 upvotes, $300
- SSRF protection bypass in /appsuite/api/oxodocumentfilter addfile action to Open-Xchange - 12 upvotes, $550
- OX Guard: DOM Based Cross-Site Scripting (#2) to Open-Xchange - 12 upvotes, $500
- store xss in calendar via upload filename to Open-Xchange - 12 upvotes, $250
- IDOR to view other user folder name to Open-Xchange - 12 upvotes, $250
- Pre-auth Denial-of-Service in Dovecot RPA implementation to Open-Xchange - 11 upvotes, $550
- [XSS] RSS Feed Widget to Open-Xchange - 11 upvotes, $500
- Stored XSS in mail app to Open-Xchange - 10 upvotes, $500
- No session expiry after log-out and session id exposed in URL to Open-Xchange - 10 upvotes, $300
- [SSRF] PDF documentconverterws to Open-Xchange - 9 upvotes, $850
- [XSS/CSRF] filter content-type bypass in Files to Open-Xchange - 9 upvotes, $750
- XSS on opening malicious OpenOffice presentation document to Open-Xchange - 9 upvotes, $400
- Stored XSS in Template Documents to Open-Xchange - 9 upvotes, $300
- Buffer over-reads in i_stream_zlib_read to Open-Xchange - 9 upvotes, $50
- Buffer over read from
smtp_command_parse_parametersto Open-Xchange - 9 upvotes, $50 - Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile to Open-Xchange - 8 upvotes, $550
- OX Guard: DOM Based Cross-Site Scripting to Open-Xchange - 8 upvotes, $500
- RTLO character in file names to Open-Xchange - 8 upvotes, $250
- Incomplete HTML sanitization + Session id leaking + private information disclosure to Open-Xchange - 8 upvotes, $200
- Selecting encryption for email with drive attachment overrides the drive email password to Open-Xchange - 8 upvotes, $100
- Stored XSS in Email attachment file name to Open-Xchange - 7 upvotes, $500
- XSS - Guard - Insufficient escaping of User-IDs from PGP Keys to Open-Xchange - 7 upvotes, $500
- XSS on opening malicious OpenOffice presentation document to Open-Xchange - 7 upvotes, $400
- [XSS] Style/Event Filter Bypass v4.0 to Open-Xchange - 6 upvotes, $500
- Stored-XSS with user interaction on [sandbox.open-xchange.com] via inserted link in mail to Open-Xchange - 6 upvotes, $500
- Adding external participants to unaccessible appointments to Open-Xchange - 6 upvotes, $300
- Panic in file smtp-address.c: line 684 (smtp_address_write): assertion failed: (smtp_char_is_qpair(*p)) to Open-Xchange - 6 upvotes, $50
- Buffer overflow in sha3 to Open-Xchange - 6 upvotes, $0
- Pre-auth buffer over-read in Dovecot NTLM implementation to Open-Xchange - 5 upvotes, $550
- A specially crafted message sent to the local delivery agent (LMTP) causes the LMTP child process to issue a panic (call i_panic) to Open-Xchange - 5 upvotes, $450
- Recursor accepts unsigned, empty NXDOMAINs in secure zones to Open-Xchange - 5 upvotes, $400
- Incomplete fix for CVE-2020-12673 : Specially crafted NTML message leads to buffer over read to Open-Xchange - 5 upvotes, $400
- null dereference in
sieve_address_do_validate(or redundant null check) to Open-Xchange - 5 upvotes, $50 - Null pointer deference in call to
mail_get_flagsto Open-Xchange - 5 upvotes, $50 - Out of memory with combination of
test_config_setandtest_config_reloadto Open-Xchange - 5 upvotes, $50 - nginx server vulnerable to Open-Xchange - 5 upvotes, $0
- Information About Your System(Sensitive Directories) to Open-Xchange - 5 upvotes, $0
- [XSS] Mail <style> v2.0 to Open-Xchange - 4 upvotes, $500
- SSRF - Guard - Unchecked HKP servers to Open-Xchange - 4 upvotes, $400
- SSRF - Guard - Unchecked WKS servers to Open-Xchange - 4 upvotes, $400
- Unauthorized access to attachments details of Private Calendar appointments (Access control issue) to Open-Xchange - 4 upvotes, $200
- command Injection in rawlog binary to Open-Xchange - 4 upvotes, $0
- [XSS/CSRF] filter content-type bypass in Files v2.0 to Open-Xchange - 3 upvotes, $500
- [XSS] Parameter Theme to Open-Xchange - 3 upvotes, $300
- [XSS] Forgot password link to Open-Xchange - 3 upvotes, $300
- [XSS] select/onchange in TinyMCE via set body to Open-Xchange - 3 upvotes, $300
- [XSS] Portal Widget Mail to Open-Xchange - 3 upvotes, $250
- Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation) to Open-Xchange - 3 upvotes, $200
- Null pointer dereference in SMTP server function smtp_command_parse_data_with_size to Open-Xchange - 3 upvotes, $50
- Null dereference or redundant null check in
mail_crypt_load_global_private_keyfor plugin mail-crypt to Open-Xchange - 3 upvotes, $50 - Directory listing to Open-Xchange - 3 upvotes, $0
- Web Browser XSS Protection Not Enabled to Open-Xchange - 3 upvotes, $0
- Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks) to Open-Xchange - 3 upvotes, $0
- Null pointer dereference in lib-sieve after calling sieve_binary_block_index to Open-Xchange - 3 upvotes, $0
- [XSS] content_disposition=inline in files to Open-Xchange - 2 upvotes, $500
- Buffer overread off by one in
rpa_read_buffer, incomplete fix for CVE-2020-12674 to Open-Xchange - 2 upvotes, $400 - [XSS] Pasting bootstrap in mail compose to Open-Xchange - 2 upvotes, $300
- Resend invitation to members by Read only user(Privilege Escalation) to Open-Xchange - 2 upvotes, $200
- Buffer overread in parse_angle_addr called from message_address_parse_path to Open-Xchange - 2 upvotes, $50
- Multiple buffer over reads in mbox_from_parse to Open-Xchange - 2 upvotes, $50
- Failed assert in
mail_index_transaction_lookupto Open-Xchange - 2 upvotes, $50 - SSL Certification Expired And TLS Vulnerability to Open-Xchange - 2 upvotes, $0
- Directory traversal allows execution of arbitrary binaries usign doveadm exec to Open-Xchange - 2 upvotes, $0
- Referer in /servlet/TestServlet to Open-Xchange - 1 upvotes, $300
- Cross-Site Scripting Vulnerability in dovecot.fi to Open-Xchange - 1 upvotes, $0
- DIrectory Listing Found to Open-Xchange - 1 upvotes, $0
- Apache version disclosure to Open-Xchange - 1 upvotes, $0
- Outdated Apache Server in www.dovecot.fi is vulnerable to various attack. to Open-Xchange - 1 upvotes, $0
- Null dereference in mcht_relational_validate ext-relational-common.c:136 to Open-Xchange - 0 upvotes, $50
- Null dereference in
cmd_denotify_operation_executeto Open-Xchange - 0 upvotes, $50 - Assert failed in
edit_mail_istream_readto Open-Xchange - 0 upvotes, $50 - Missing (or redundant) null check in
dcrypt_openssl_signto Open-Xchange - 0 upvotes, $0 - A specifically designed sieve script can cause a DoS in lib-sieve during sieve script compilation via NULL pointer dereference to Open-Xchange - 0 upvotes, $0