Lucene search

[email protected]CVE-2023-29048

HistoryJan 08, 2024 - 9:15 a.m.

CVE-2023-29048

2024-01-0809:15:19

CWE-78

[email protected]

web.nvd.nist.gov

cve-2023-29048

oxmf templates

system commands

unauthorized access

integrity violation

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.7%

JSON

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known.

Affected configurations

NVD

Node

open-xchangeox_app_suiteRange<7.10.6

open-xchangeox_app_suiteMatch7.10.6-

open-xchangeox_app_suiteMatch7.10.6rev01

open-xchangeox_app_suiteMatch7.10.6rev02

open-xchangeox_app_suiteMatch7.10.6rev03

open-xchangeox_app_suiteMatch7.10.6rev04

open-xchangeox_app_suiteMatch7.10.6rev05

open-xchangeox_app_suiteMatch7.10.6rev06

open-xchangeox_app_suiteMatch7.10.6rev07

open-xchangeox_app_suiteMatch7.10.6rev08

open-xchangeox_app_suiteMatch7.10.6rev09

open-xchangeox_app_suiteMatch7.10.6rev10

open-xchangeox_app_suiteMatch7.10.6rev11

open-xchangeox_app_suiteMatch7.10.6rev12

open-xchangeox_app_suiteMatch7.10.6rev13

open-xchangeox_app_suiteMatch7.10.6rev14

open-xchangeox_app_suiteMatch7.10.6rev15

open-xchangeox_app_suiteMatch7.10.6rev16

open-xchangeox_app_suiteMatch7.10.6rev17

open-xchangeox_app_suiteMatch7.10.6rev18

open-xchangeox_app_suiteMatch7.10.6rev19

open-xchangeox_app_suiteMatch7.10.6rev20

open-xchangeox_app_suiteMatch7.10.6rev21

open-xchangeox_app_suiteMatch7.10.6rev22

open-xchangeox_app_suiteMatch7.10.6rev23

open-xchangeox_app_suiteMatch7.10.6rev24

open-xchangeox_app_suiteMatch7.10.6rev25

open-xchangeox_app_suiteMatch7.10.6rev26

open-xchangeox_app_suiteMatch7.10.6rev27

open-xchangeox_app_suiteMatch7.10.6rev28

open-xchangeox_app_suiteMatch7.10.6rev29

open-xchangeox_app_suiteMatch7.10.6rev30

open-xchangeox_app_suiteMatch7.10.6rev31

open-xchangeox_app_suiteMatch7.10.6rev32

open-xchangeox_app_suiteMatch7.10.6rev33

open-xchangeox_app_suiteMatch7.10.6rev34

open-xchangeox_app_suiteMatch7.10.6rev35

open-xchangeox_app_suiteMatch7.10.6rev36

open-xchangeox_app_suiteMatch7.10.6rev37

open-xchangeox_app_suiteMatch7.10.6rev50

CPENameOperatorVersion
open-xchange:ox_app_suiteopen-xchange ox app suitelt7.10.6

CPE	Name	Operator	Version
open-xchange:ox_app_suite	open-xchange ox app suite	lt	7.10.6

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "backend"
    ],
    "product": "OX App Suite",
    "vendor": "Open-Xchange GmbH",
    "versions": [
      {
        "lessThanOrEqual": "7.10.6-rev50",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html

seclists.org/fulldisclosure/2024/Jan/3

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.7%

JSON

Related for CVE-2023-29048

nvd1 osv1 prion1 cvelist1