Vulnerability Description
E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Xchange | Ox App Suite | < 8.22 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2024/May/3Mailing ListThird Party Advisory
- https://documentation.open-xchange.com/appsuite/releases/8.22/Release Notes
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxIssue TrackingVendor Advisory
- http://seclists.org/fulldisclosure/2024/May/3Mailing ListThird Party Advisory
- https://documentation.open-xchange.com/appsuite/releases/8.22/Release Notes
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxIssue TrackingVendor Advisory
FAQ
What is CVE-2024-23193?
CVE-2024-23193 is a vulnerability with a CVSS score of 5.3 (MEDIUM). E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case ...
How severe is CVE-2024-23193?
CVE-2024-23193 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23193?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Xchange Ox App Suite.