Lucene search

PRIOn knowledge basePRION:CVE-2023-26451

HistoryAug 02, 2023 - 1:15 p.m.

Authorization

2023-08-0213:15:00

PRIOn knowledge base

www.prio-n.com

authorization

oauth

integrated

randomness

tokens

third parties

interception

compromised accounts

implementation update

exploits

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.7%

JSON

Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result, other users accounts could be compromised. The oAuth Authorization Service is not enabled by default. We have updated the implementation to use sources with sufficient randomness to generate authorization tokens. No publicly available exploits are known.

CPENameOperatorVersion
open-xchange_appsuite_backendle8.11.0

CPE	Name	Operator	Version
	open-xchange_appsuite_backend	le	8.11.0

References

packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2023/Aug/8

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json

software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf