Description
The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/8
Release Notes release-notes
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Vendor Advisory vendor-advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
Scores
CVSS v3
7.1
EPSS
0.0006
EPSS Percentile
18.6%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
open-xchange/open-xchange_appsuite_office
< 8.11
Published
Aug 02, 2023
Tracked Since
Feb 18, 2026