Lucene search

[email protected]NVD:CVE-2023-29049

HistoryJan 08, 2024 - 9:15 a.m.

CVE-2023-29049

2024-01-0809:15:20

CWE-79

[email protected]

web.nvd.nist.gov

script injection

upsell widget

sanitized

risk

cve-2023-29049

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.0%

JSON

The “upsell” widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.

Affected configurations

NVD

Node

open-xchangeox_app_suiteRange<7.10.6

open-xchangeox_app_suiteMatch7.10.6-

open-xchangeox_app_suiteMatch7.10.6rev01

open-xchangeox_app_suiteMatch7.10.6rev02

open-xchangeox_app_suiteMatch7.10.6rev03

open-xchangeox_app_suiteMatch7.10.6rev04

open-xchangeox_app_suiteMatch7.10.6rev05

open-xchangeox_app_suiteMatch7.10.6rev06

open-xchangeox_app_suiteMatch7.10.6rev07

open-xchangeox_app_suiteMatch7.10.6rev08

open-xchangeox_app_suiteMatch7.10.6rev09

open-xchangeox_app_suiteMatch7.10.6rev10

open-xchangeox_app_suiteMatch7.10.6rev11

open-xchangeox_app_suiteMatch7.10.6rev12

open-xchangeox_app_suiteMatch7.10.6rev13

open-xchangeox_app_suiteMatch7.10.6rev14

open-xchangeox_app_suiteMatch7.10.6rev15

open-xchangeox_app_suiteMatch7.10.6rev16

open-xchangeox_app_suiteMatch7.10.6rev17

open-xchangeox_app_suiteMatch7.10.6rev18

open-xchangeox_app_suiteMatch7.10.6rev19

open-xchangeox_app_suiteMatch7.10.6rev20

open-xchangeox_app_suiteMatch7.10.6rev21

open-xchangeox_app_suiteMatch7.10.6rev22

open-xchangeox_app_suiteMatch7.10.6rev23

open-xchangeox_app_suiteMatch7.10.6rev24

open-xchangeox_app_suiteMatch7.10.6rev25

open-xchangeox_app_suiteMatch7.10.6rev26

open-xchangeox_app_suiteMatch7.10.6rev27

open-xchangeox_app_suiteMatch7.10.6rev28

open-xchangeox_app_suiteMatch7.10.6rev29

open-xchangeox_app_suiteMatch7.10.6rev30

open-xchangeox_app_suiteMatch7.10.6rev31

open-xchangeox_app_suiteMatch7.10.6rev32

open-xchangeox_app_suiteMatch7.10.6rev33

References

packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html

seclists.org/fulldisclosure/2024/Jan/3

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.0%

JSON

Related for NVD:CVE-2023-29049

osv1 cve1 prion1 cvelist1