CVE-2023-26446 — MEDIUM (5.4)

Q: How severe is CVE-2023-26446?

CVE-2023-26446 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-26446?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite Frontend.

Vulnerability Description

The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Open-Xchange	Open-Xchange Appsuite Frontend	<= 7.10.6

Related Weaknesses (CWE)

CWE-79

References

http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-CrosThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8Mailing ListThird Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release Notes
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-CrosThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8Mailing ListThird Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release Notes

FAQ

What is CVE-2023-26446?

CVE-2023-26446 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacki...

How severe is CVE-2023-26446?

CVE-2023-26446 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-26446?

Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite Frontend.