Advisory Date: 2021-11-18 Product: OX App Suite, OX Documents Vendor: OX Software GmbH Key Vulnerabilities: 1. MWB-993: Cross-Site Scripting (CWE-80) - Vulnerable Component: Backend - CVSS: 5.3 - Risk: Malicious script code execution 2. MWB-1067: Code Injection (CWE-94) - Vulnerable Component: Middleware - CVSS: 3.9 - Risk: Arbitrary Java code execution 3. MWB-1094: Cross-Site Scripting (CWE-80) - Vulnerable Component: Backend - CVSS: 3.5 - Risk: Malicious script code execution 4. DOCS-3309: Relative Path Traversal (CWE-23) - Vulnerable Component: Office - CVSS: 6.4 - Risk: Override writable files 5. OXUIB-770: Improper Input Validation (CWE-20) - Vulnerable Component: Frontend - CVSS: 5.4 - Risk: Redirect to rogue OX Chat servers 6. OXUIB-771: Cross-Site Scripting (CWE-80) - Vulnerable Component: Backend - CVSS: 5.3 - Risk: Malicious script code execution 7. OXUIB-809: Cross-Site Scripting (CWE-80) - Vulnerable Component: Frontend - CVSS: 5.3 - Risk: Malicious script code execution 8. OXUIB-837: Cross-Site Scripting (CWE-80) - Vulnerable Component: Frontend - CVSS: 5.3 - Risk: Malicious script code execution 9. OXUIB-838: Cross-Site Scripting (CWE-80) - Vulnerable Component: Frontend - CVSS: 5.3 - Risk: Malicious script code execution Common Solutions: Improved sanitization and input validation Fixed versions: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13