CVE-2023-26447
MEDIUMopen-xchange_appsuite_frontend < 7.10.6 - Stored Cross-Site Scripting in Upsell Widget
Title source: llmDescription
The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/8
Release Notes release-notes
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Vendor Advisory vendor-advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
Scores
CVSS v3
5.4
EPSS
0.0010
EPSS Percentile
27.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
open-xchange/open-xchange_appsuite_frontend
< 7.10.6
Published
Aug 02, 2023
Tracked Since
Feb 18, 2026