Vulnerability Description
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Xchange | Open-Xchange Appsuite | < 7.10.6 |
Related Weaknesses (CWE)
References
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release NotesVendor Advisory
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/ox
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release NotesVendor Advisory
FAQ
What is CVE-2023-26455?
CVE-2023-26455 is a vulnerability with a CVSS score of 5.6 (MEDIUM). RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. R...
How severe is CVE-2023-26455?
CVE-2023-26455 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-26455?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Open-Xchange Appsuite.