Lucene search

OXCVELIST:CVE-2023-41710

HistoryJan 08, 2024 - 9:04 a.m.

CVE-2023-41710

2024-01-0809:04:38

www.cve.org

user-defined script

upsell shop

content sanitization

dom attack

trusted domain

exploit

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

14.2%

JSON

User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "frontend"
    ],
    "product": "OX App Suite",
    "vendor": "Open-Xchange GmbH",
    "versions": [
      {
        "lessThanOrEqual": "7.10.6-rev34",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf