Vulnerability Description
The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Xchange | Ox App Suite | < 7.10.6 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-ExecThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2024/Jan/3Mailing ListThird Party Advisory
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxIssue Tracking
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release Notes
- http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-ExecThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2024/Jan/3Mailing ListThird Party Advisory
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxIssue Tracking
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release Notes
FAQ
What is CVE-2023-29049?
CVE-2023-29049 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, ...
How severe is CVE-2023-29049?
CVE-2023-29049 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-29049?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Ox App Suite.