CVE-2023-26441
MEDIUMopen-xchange_appsuite_office < 8.11 - Path Traversal in Cacheservice
Title source: llmDescription
Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/8
Release Notes release-notes
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Vendor Advisory vendor-advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
Scores
CVSS v3
5.7
EPSS
0.0004
EPSS Percentile
12.4%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
Details
CWE
CWE-22
CWE-200
Status
published
Products (1)
open-xchange/open-xchange_appsuite_office
< 8.11
Published
Aug 02, 2023
Tracked Since
Feb 18, 2026