CVE-2023-26453

🗓️ 02 Nov 2023 13:01:12Reported by OXType

Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known

Reporter	Title	Published	Views	Family All 7
CNNVD	Open-Xchange App Suite SQL Injection Vulnerability	2 Nov 202300:00	–	cnnvd
CVE	CVE-2023-26453	2 Nov 202313:01	–	cve
EUVD	EUVD-2023-30273	3 Oct 202520:07	–	euvd
NVD	CVE-2023-26453	2 Nov 202314:15	–	nvd
Prion	Design/Logic Flaw	2 Nov 202314:15	–	prion
Positive Technologies	PT-2023-20646 · Unknown · Imageconverter Service	2 Nov 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-26453	23 May 202505:39	–	redhatcve

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "office"
    ],
    "product": "OX App Suite",
    "vendor": "OX Software GmbH",
    "versions": [
      {
        "lessThanOrEqual": "7.10.6-rev5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.12",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
software	www.software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf
documentation	www.documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json

12 Jan 2024 07:09Current

9High risk

Vulners AI Score9

CVSS 3.17.6

EPSS0.00371

CWE-89