CVE-2023-26445
MEDIUMOpen-Xchange App Suite jslob Theme - Cross-Site Scripting
Title source: manualDescription
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/8
Release Notes release-notes
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Vendor Advisory vendor-advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
Scores
CVSS v3
5.4
EPSS
0.0007
EPSS Percentile
21.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L
Details
CWE
CWE-79
Status
published
Products (1)
open-xchange/open-xchange_appsuite_frontend
< 7.10.6
Published
Aug 02, 2023
Tracked Since
Feb 18, 2026