Vulnerability Description
E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding displayname information to the web interface. No publicly available exploits are known.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Xchange | Ox App Suite | < 8.22 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2024/May/3Mailing ListThird Party Advisory
- https://documentation.open-xchange.com/appsuite/releases/8.22/Release Notes
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxIssue TrackingVendor Advisory
- http://seclists.org/fulldisclosure/2024/May/3Mailing ListThird Party Advisory
- https://documentation.open-xchange.com/appsuite/releases/8.22/Release Notes
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxIssue TrackingVendor Advisory
FAQ
What is CVE-2024-23186?
CVE-2024-23186 is a vulnerability with a CVSS score of 6.5 (MEDIUM). E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract informatio...
How severe is CVE-2024-23186?
CVE-2024-23186 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23186?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Ox App Suite.