CVE-2023-26448

🗓️ 02 Aug 2023 12:23:33Reported by OXType

Custom log-in and log-out locations not checked for malicious protocol handlers, allowing execution of malicious script code within victim's context, leading to session hijacking. Sanitizing jslob content for these locations to avoid redirects to malicious content

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2023-26448	2 Aug 202316:39	–	circl
CNNVD	Open-Xchange AppSuite Cross-Site Scripting Vulnerability	2 Aug 202300:00	–	cnnvd
Cvelist	CVE-2023-26448	2 Aug 202312:23	–	cvelist
EUVD	EUVD-2023-30268	3 Oct 202520:07	–	euvd
NVD	CVE-2023-26448	2 Aug 202313:15	–	nvd
Prion	Code injection	2 Aug 202313:15	–	prion
Positive Technologies	PT-2023-20640 · Ox Software Gmbh +1 · Ox App Suite +1	2 Aug 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-26448	23 May 202505:39	–	redhatcve

NVD

Node

open-xchange open-xchange_appsuite_frontendRange≤7.10.6

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "frontend"
    ],
    "product": "OX App Suite",
    "vendor": "OX Software GmbH",
    "versions": [
      {
        "lessThanOrEqual": "7.10.6-rev27",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
seclists	www.seclists.org/fulldisclosure/2023/Aug/8
software	www.software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
documentation	www.documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
packetstormsecurity	www.packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html

17 Jun 2026 05:43Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.15.4

EPSS0.00558

CWE-79