CVE-2023-26441

🗓️ 02 Aug 2023 12:23:09Reported by OXType

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2023-26441	2 Aug 202316:39	–	circl
CNNVD	Open-Xchange AppSuite Path Traversal Vulnerability	2 Aug 202300:00	–	cnnvd
Cvelist	CVE-2023-26441	2 Aug 202312:23	–	cvelist
EUVD	EUVD-2023-30261	3 Oct 202520:07	–	euvd
NVD	CVE-2023-26441	2 Aug 202313:15	–	nvd
OSV	CVE-2023-26441	2 Aug 202313:15	–	osv
Prion	Input validation	2 Aug 202313:15	–	prion
Positive Technologies	PT-2023-20634 · Unknown · Cacheservice	2 Aug 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-26441	23 May 202504:38	–	redhatcve

NVD

Node

open-xchange open-xchange_appsuite_officeRange<8.11

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "office"
    ],
    "product": "OX App Suite",
    "vendor": "OX Software GmbH",
    "versions": [
      {
        "lessThanOrEqual": "8.10",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
seclists	www.seclists.org/fulldisclosure/2023/Aug/8
software	www.software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
documentation	www.documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
packetstormsecurity	www.packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html

21 Nov 2024 07:51Current

5.4Medium risk

Vulners AI Score5.4

CVSS 3.15.5 - 5.7

EPSS0.00043