CVE-2023-26427

LOW

Properties File - Info Disclosure

Title source: llm

Description

Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during package installation. No publicly available exploits are known.

References (4)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2023/Jun/8

[Release Notes] https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf

[Vendor Advisory] https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json

Scores

CVSS v3 3.2

EPSS 0.0006

EPSS Percentile 19.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Details

CWE

CWE-732 CWE-922

Status published

Products (2)

open-xchange/open-xchange_appsuite_backend 7.10.6 (2 CPE variants)

open-xchange/open-xchange_appsuite_backend < 7.10.6

Published Jun 20, 2023

Tracked Since Feb 18, 2026