CVE-2025-30191 - Vulnerability Details - OpenCVE

Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Open-xchange	Ox App Suite

No data.

No data.

References

Link	Providers
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json

History

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-xchange Open-xchange ox App Suite
Vendors & Products		Open-xchange Open-xchange ox App Suite

Fri, 31 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 31 Oct 2025 09:00:00 +0000

Type	Values Removed	Values Added
Description		Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known
Weaknesses		CWE-1021
References		https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: OX

Published: 2025-10-31T08:54:42.202Z

Updated: 2025-10-31T18:27:58.679Z

Reserved: 2025-03-18T08:39:46.884Z

Link: CVE-2025-30191

Vulnrichment

Updated: 2025-10-31T18:24:43.484Z

NVD

Status : Received

Published: 2025-10-31T09:15:47.860

Modified: 2025-10-31T09:15:47.860

Link: CVE-2025-30191

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-30191", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2025-03-18T08:39:46.884Z", "datePublished": "2025-10-31T08:54:42.202Z", "dateUpdated": "2025-10-31T18:27:58.679Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["backend"], "product": "OX App Suite", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "7.6.3-rev77", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "8.35.111", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "8.38.82", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "8.39.79", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "8.40.57", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "description": "Improper Restriction of Rendered UI Layers or Frames", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2025-10-31T08:54:42.202Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json"}], "source": {"defect": "appsuite/platform/core#336", "discovery": "INTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-31T18:16:04.949644Z", "id": "CVE-2025-30191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T18:27:58.679Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-31T18:16:04.949644Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T18:24:43.484Z"}}], "cna": {"source": {"defect": "appsuite/platform/core#336", "discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open-Xchange GmbH", "modules": ["backend"], "product": "OX App Suite", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.6.3-rev77"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.35.111"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.38.82"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.39.79"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.40.57"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-1021", "description": "Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2025-10-31T08:54:42.202Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30191", "state": "PUBLISHED", "dateUpdated": "2025-10-31T18:27:58.679Z", "dateReserved": "2025-03-18T08:39:46.884Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2025-10-31T08:54:42.202Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}