The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2023/Aug/8 | Mailing List Third Party Advisory |
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json | |
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: OX
Published: 2023-08-02T12:23:43.953Z
Updated: 2024-01-12T07:11:32.841Z
Reserved: 2023-02-22T20:42:56.091Z
Link: CVE-2023-26450
JSON object: View
NVD Information
Status : Modified
Published: 2023-08-02T13:15:11.160
Modified: 2024-01-12T08:15:42.500
Link: CVE-2023-26450
JSON object: View
Redhat Information
No data.
CWE