Lucene search

[email protected]NVD:CVE-2024-23188

HistoryMay 06, 2024 - 7:15 a.m.

CVE-2024-23188

2024-05-0607:15:07

CWE-79

[email protected]

web.nvd.nist.gov

cve-2024-23188

malicious script execution

browser session

user interaction

api requests

information extraction

patch releases

external content handling

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

15.7%

JSON

Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding attachment information to the web interface. No publicly available exploits are known.

References

seclists.org/fulldisclosure/2024/May/3

documentation.open-xchange.com/appsuite/releases/8.22/

documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for NVD:CVE-2024-23188

cvelist1 cve1