Lucene search

PRIOn knowledge basePRION:CVE-2023-26439

HistoryAug 02, 2023 - 1:15 p.m.

Sql injection

2023-08-0213:15:00

PRIOn knowledge base

www.prio-n.com

cacheservice api

sql injection

parameter sanitization

unauthorized access

data security

api calls

malicious content

nvd

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.

CPENameOperatorVersion
open-xchange_appsuite_officelt8.11

CPE	Name	Operator	Version
	open-xchange_appsuite_office	lt	8.11

References

packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2023/Aug/8

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf